On Wed, 09 Dec 2015, Harald Dunkel wrote:
On 12/08/2015 03:08 PM, Petr Spacek wrote:





answer your questions?

Not really. All these documents bring up strings like
"ipa.example.com". Sometimes thats a DNS domain, sometimes
its a kerberos realm (even though its in lower case letters).
The assumption that DNS and realm name match is based upon a
recommendation, i.e. you cannot rely upon that. (Not to
mention that "example.com" and "ad.example.com" *are* unique.)
In Active Directory Kerberos realm is always a capitalized version of
the primary DNS domain occupied by this Active Directory domain.

My point is: Currently I have a hierarchy between the DNS top
level domain "example.com" and the windows DNS domain
"ws.example.com". I do not have a hierarchy between the IM
solutions for Unix and Windows (currently NIS and AD). Moving
from NIS/bind to FreeIPA I would prefer to keep this setup. If
this is not possible, then I can live with moving the IPA
servers to "ipa.example.com" (DNS), but I cannot change the
other DNS subnets. Changing existing host and domain names
is *highly* expensive.
You can keep own arrangement if it doesn't conflict with your Active
Directory deployment's ownership of DNS zones.

You are saying ws.example.com is your AD DNS domain. Do you have
machines from example.com enrolled into AD? If there are machines from
DNS zone example.com in AD, you cannot have IPA deployed in DNS zone
example.com because AD will not allow trust between something that
claims to own DNS zone AD owns already.

It is simple as that. When you create AD deployment, it establishes
ownership over the DNS domain which is used to create the deployment.
Later, each enrolled computer's DNS domain is added to the list of owned
DNS domains. They all would belong to Active Directory and to have some
other Active Directory to claim ownership over it would be seen as a

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to