On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote:
> Greetings!
>      That sounds like great news!   Just to make sure I understand correctly..
> 1. Any server managed by FreeIPA must NEVER have had a computer object 
> associated with them in AD?  (even if it has now been deleted)
No, what a random server does or has done is irrelevant in this sense,
but see later, for caveats.

> 2. Active Directory must never know anything about a DNS domain 
> freeipa.company.com (I'm not sure why)
Correct because if that happened then AD considers the whole subdomain
as part of its realm and trust routing will not work.

> 3. My linux servers being managed by FreeIPA can still have the DNS domain 
> company.com (instead of servername.freeipa.company.com)
Although the strict answer is yes, if you put a linux server joined to
freeIPA in the AD DNS Domain then Single Sign On from Windows users will
not work, as AD will consider all request for tickets to those servers
as requests for itself and will never return referrals to the freeIPA
KDCs for those TGS requests, so clients will not be able to get tickets
for those servers. 

> 4. Single Signon to the Linux servers using AD credentials will still work

No, see above.

> 5. (BONUS) I could even let AD trust user accounts created in FreeIPA?

Not clear what you mean here. If you mean that IPA user accounts can
operate in the Windows domain, the answer is technicaly yes, although
because we do not expose (yet) a Global Catalog to the Windows AD
servers, it will be hard to set ACLs on the Windows side to actually
authorize freeIPA users to login to AD managed computers (it can
probably be done via CLI, but not through AD administrative UIs).
We plan to fix this in the near future by providing a GC service.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to