HI in my case i have 2 domains
AD DNS : corp.example.kw.com main DNS ( from appliance) : kw.example.com and all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.com is that the correct way? Regards, Ben On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <[email protected]> wrote: > Ben, > > Yes, that is a requirement. Just creating the A & PTR records for you > FreeIPA server is not enough. You will need to keep the DNS zones separate > too, example: > Windows AD Domain: mydomain.com > FreeIPA Realm/Domain: subdomain.mydomain.com > > You cannot have a cross-forest trust between two domains with the same DNS > zone name. So if you have a flat DNS namespace, then you will want to plan > accordingly to move all the linux boxes that will participate in the > FreeIPA domain into the new DNS zone. > > -Mike > > -----Original Message----- > From: "Ben .T.George" > Sent: May 23, 2016 10:44 AM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > yea that GIf screen i shared with him. but that doesn't show how to take > shared key. > > In my case DNS is handled by 3rd party appliances and from their side they > created A record for my IPA server. bth forward and reverse is working > > is this forwader is mandatory thing from DNS side? > > Regards, > ben > > On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <[email protected]> > wrote: > >> Actually one of his questions doesn't make sense, because last I checked, >> normal domain users do not have permissions to create a forest trust. >> I believe the default is a one-way trust, so maybe his concerns about the >> bi-directional trust is really a non-issue. >> If he refuses to type in the admin password in a linux console session >> (extreme paranoia?), then perhaps you could give him a link to the tutorial >> on using a pre-shared key and have him setup the AD side and give you the >> key. You don't have to be a Windows expert to do this, just ask your >> domain admin to do the steps for you. Also, you will need to setup a >> separate DNS zone and some forwarding rules. Otherwise you are going to >> have problems. >> >> -Mike >> >> >> -----Original Message----- >> From: "Ben .T.George" >> Sent: May 23, 2016 10:07 AM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> He is local only but he is asking so many questions. >> >> first of all he is refusing to give domain admin users password . >> >> questions he is asking is: >> >> Is this trust relationship is two directional? If, yes why IPA require >> two directional trust? >> can we build this trust one directional? >> can we achieve this with normal domain user? >> >> and hs is opposing to enter password in command line and i was going >> though the rust using a pre-shared key and its too hard for me to >> understand as i have no windows experience >> >> regards, >> Ben >> >> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <[email protected] >> > wrote: >> >>> A couple of ways to go about this. If he is local to you, you could >>> explain that you need to establish a trust with his domain and you need his >>> assistance for a few minutes while you type the command to join, then have >>> him type in the password. You need to assure that the DNS forward/stub >>> zones are setup and working too. If he is remote, you could use some >>> screen share software and share out your desktop and walk him through the >>> part where he has to type the admin password. There is also a way to >>> create a trust using a pre-shared key. That may be more acceptable to >>> him. >>> >>> -Mike >>> >>> -----Original Message----- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 8:42 AM >>> To: freeipa-users >>> Subject: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> Hi LIst, >>> >>> my Windows domain Admin is not giving domain admin user password. >>> >>> in this case how can i proceed ipa trust-add >>> >>> regards, >>> Ben >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
