On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote:
> Greetings!
> 
>      Everyone seems to say that you can't have a domain trust across two 
> Kerberos realms (FreeIPA and Active Directory) if the hosts share the same 
> DNS domain.
> 
>      Hadoop seems to do this just fine, though.  I'm in the process of 
> helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM  
> and  COMPANY.COM and all of the servers use the company.com DNS domain. (see 
> http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html)
> 
>      This seems to be standard practice for setting up hadoop clusters.  Why 
> wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts 
> COMPANY.COM (with all involved servers having the "company.com" DNS domain)?  
> As I understand it, the Kerberos realm FreeIPA uses can be specified during 
> the initial setup and it doesn't have to match the domain.
> 
> --David Alston
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

You can have a Realm named COMPANY.COM (AD) and a Realm named
FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer
objects or subdomains in the DNS domain freeipa.company.com in it.

If that's the case you can create a 1 way or 2 way trust between the 2
forests without issues.

Simo.
 
-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to