On Tue, 13 Oct 2015, Petr Spacek wrote:
On 12.10.2015 22:20, Alexander Bokovoy wrote:
On Mon, 12 Oct 2015, Andy Thompson wrote:



-----Original Message-----
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Hoffmaster, John
Sent: Monday, October 12, 2015 3:46 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question

Hi,

The company I work for  uses AD 2008R2 DC to resolve requests for
Unix/Linux servers in various environments, under one domain
example.com, with the Realm EXAMPLE.COM ?

Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
name server and forwarding all DNS requests to the windows DC's and still
keep everything in the example.com domain without creating a child domain
like  ipa.example.com ?

http://www.freeipa.org/page/Active_Directory_trust_setup

Add for RedHat 7, use hostnamectl set-hostname ipa.example.com

and
change the install IPA server  command to

ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
-realm=example.com --setup-dns --forwarder=AD_ipaddress

Thanks,


No.  The IPA domain has to be different than the AD domain.
This is true for any two separate Active Directory forests, and as IPA
represents itself as a separate AD forest for the trust relationship, it
is forced to follow Active Directory requirements.

In other words, IPA itself needs one separate domain for SRV records and other
stuff.

Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).
Yep. Let's say explicitly:
- IPA machines cannot belong to any domain of AD forest -- in terms of
  DNS this means they cannot have A/AAAA records in any AD domain's DNS
  zone;
- IPA machines may have CNAMEs in an AD domain's DNS zone that point to
  A/AAAA records in IPA DNS zones.

If you follow these two rules, you'll have single sign-on working
between IPA and AD through the cross-forest trust.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to