On Tue, 13 Oct 2015, Petr Spacek wrote:
On 12.10.2015 22:20, Alexander Bokovoy wrote:
On Mon, 12 Oct 2015, Andy Thompson wrote:
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Hoffmaster, John
Sent: Monday, October 12, 2015 3:46 PM
Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
The company I work for uses AD 2008R2 DC to resolve requests for
Unix/Linux servers in various environments, under one domain
example.com, with the Realm EXAMPLE.COM ?
Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a
name server and forwarding all DNS requests to the windows DC's and still
keep everything in the example.com domain without creating a child domain
like ipa.example.com ?
Add for RedHat 7, use hostnamectl set-hostname ipa.example.com
change the install IPA server command to
ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com -
-realm=example.com --setup-dns --forwarder=AD_ipaddress
No. The IPA domain has to be different than the AD domain.
This is true for any two separate Active Directory forests, and as IPA
represents itself as a separate AD forest for the trust relationship, it
is forced to follow Active Directory requirements.
In other words, IPA itself needs one separate domain for SRV records and other
Client machines may have hostnames in different domains as long as there is
1:1 mapping between domain->REALM (AD/IPA).
Yep. Let's say explicitly:
- IPA machines cannot belong to any domain of AD forest -- in terms of
DNS this means they cannot have A/AAAA records in any AD domain's DNS
- IPA machines may have CNAMEs in an AD domain's DNS zone that point to
A/AAAA records in IPA DNS zones.
If you follow these two rules, you'll have single sign-on working
between IPA and AD through the cross-forest trust.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project