On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote:
> I'm a little confused by that.
>
> If I add the AD dc, will my client try to contact AD directly to get a
> ticket?
>
> Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
No, authentication is always performed against an AD DC directly.
>
> And to confirm what you meant by add the AD dc and realm, it would be like
> this ?
>
> SUB.ADDOMAIN.NET = {
> kdc = dc1.addomain.net:88
> }
>
> I don't need the master_kdc, admin_server, default_domain entries?
With a recent version of libkrb5 I don't think you need to set
master_kdc, libkrb5 should be able to follow referrals itself.
admin_servre, if unset, defaults to KDC. default_domain doesn't need to
be set either.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
