On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote: > I'm a little confused by that. > > If I add the AD dc, will my client try to contact AD directly to get a > ticket? > > Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
No, authentication is always performed against an AD DC directly. > > And to confirm what you meant by add the AD dc and realm, it would be like > this ? > > SUB.ADDOMAIN.NET = { > kdc = dc1.addomain.net:88 > } > > I don't need the master_kdc, admin_server, default_domain entries? With a recent version of libkrb5 I don't think you need to set master_kdc, libkrb5 should be able to follow referrals itself. admin_servre, if unset, defaults to KDC. default_domain doesn't need to be set either. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project