On 3.8.2016 22:22, Alston, David wrote: > Greetings! > >>> 2. Active Directory must never know anything about a DNS domain >>> freeipa.company.com (I'm not sure why) >> Correct because if that happened then AD considers the whole subdomain as >> part of its realm and trust routing will not work. > > Doesn't that mean that we have to have the FreeIPA servers on their own DNS > domain again? So we can't have linux-server.company.com and > windows-server.company.com (managed by FreeIPA and AD respectively) because > there has to be a SOA for .company.com somewhere and that is already managed > by AD (in our environment).
The problem is not at DNS level but at Kerberos level. Anyway, this is in depth described on http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ I hope it helps. Petr^2 Spacek > > --David Alston > > > -----Original Message----- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Wednesday, August 03, 2016 2:13 PM > To: Alston, David > Cc: email@example.com > Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain > > On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: >> Greetings! >> >> That sounds like great news! Just to make sure I understand >> correctly.. >> >> 1. Any server managed by FreeIPA must NEVER have had a computer object >> associated with them in AD? (even if it has now been deleted) > No, what a random server does or has done is irrelevant in this sense, but > see later, for caveats. > >> 2. Active Directory must never know anything about a DNS domain >> freeipa.company.com (I'm not sure why) > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. > >> 3. My linux servers being managed by FreeIPA can still have the DNS >> domain company.com (instead of servername.freeipa.company.com) > Although the strict answer is yes, if you put a linux server joined to > freeIPA in the AD DNS Domain then Single Sign On from Windows users will not > work, as AD will consider all request for tickets to those servers as > requests for itself and will never return referrals to the freeIPA KDCs for > those TGS requests, so clients will not be able to get tickets for those > servers. > >> 4. Single Signon to the Linux servers using AD credentials will still >> work > > No, see above. > >> 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? > > Not clear what you mean here. If you mean that IPA user accounts can operate > in the Windows domain, the answer is technicaly yes, although because we do > not expose (yet) a Global Catalog to the Windows AD servers, it will be hard > to set ACLs on the Windows side to actually authorize freeIPA users to login > to AD managed computers (it can probably be done via CLI, but not through AD > administrative UIs). > We plan to fix this in the near future by providing a GC service. > > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project