Greetings! That sounds like great news! Just to make sure I understand correctly..
1. Any server managed by FreeIPA must NEVER have had a computer object associated with them in AD? (even if it has now been deleted) 2. Active Directory must never know anything about a DNS domain freeipa.company.com (I'm not sure why) 3. My linux servers being managed by FreeIPA can still have the DNS domain company.com (instead of servername.freeipa.company.com) 4. Single Signon to the Linux servers using AD credentials will still work 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? --David Alston -----Original Message----- From: Simo Sorce [mailto:s...@redhat.com] Sent: Wednesday, August 03, 2016 1:28 PM To: Alston, David Cc: firstname.lastname@example.org Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote: > Greetings! > > Everyone seems to say that you can't have a domain trust across two > Kerberos realms (FreeIPA and Active Directory) if the hosts share the same > DNS domain. > > Hadoop seems to do this just fine, though. I'm in the process of > helping someone setup a trust between the Kerberos realms > HADOOP.COMPANY.COM and COMPANY.COM and all of the servers use the > company.com DNS domain. (see > http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Secur > ity-Guide/cdh4sg_topic_15.html) > > This seems to be standard practice for setting up hadoop clusters. Why > wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts > COMPANY.COM (with all involved servers having the "company.com" DNS domain)? > As I understand it, the Kerberos realm FreeIPA uses can be specified during > the initial setup and it doesn't have to match the domain. > > --David Alston > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project You can have a Realm named COMPANY.COM (AD) and a Realm named FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer objects or subdomains in the DNS domain freeipa.company.com in it. If that's the case you can create a 1 way or 2 way trust between the 2 forests without issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project