On 3.8.2016 22:22, Alston, David wrote:
> Greetings!
> 
>>> 2. Active Directory must never know anything about a DNS domain 
>>> freeipa.company.com (I'm not sure why)
>> Correct because if that happened then AD considers the whole subdomain as 
>> part of its realm and trust routing will not work.
> 
> Doesn't that mean that we have to have the FreeIPA servers on their own DNS 
> domain again?  So we can't have linux-server.company.com and 
> windows-server.company.com (managed by FreeIPA and AD respectively) because 
> there has to be a SOA for .company.com somewhere and that is already managed 
> by AD (in our environment).

The problem is not at DNS level but at Kerberos level. Anyway, this is in
depth described on
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

I hope it helps.
Petr^2 Spacek

> 
> --David Alston
> 
> 
> -----Original Message-----
> From: Simo Sorce [mailto:s...@redhat.com] 
> Sent: Wednesday, August 03, 2016 2:13 PM
> To: Alston, David
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
> 
> On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote:
>> Greetings!
>>
>>      That sounds like great news!   Just to make sure I understand 
>> correctly..
>>
>> 1. Any server managed by FreeIPA must NEVER have had a computer object 
>> associated with them in AD?  (even if it has now been deleted)
> No, what a random server does or has done is irrelevant in this sense, but 
> see later, for caveats.
> 
>> 2. Active Directory must never know anything about a DNS domain 
>> freeipa.company.com (I'm not sure why)
> Correct because if that happened then AD considers the whole subdomain as 
> part of its realm and trust routing will not work.
> 
>> 3. My linux servers being managed by FreeIPA can still have the DNS 
>> domain company.com (instead of servername.freeipa.company.com)
> Although the strict answer is yes, if you put a linux server joined to 
> freeIPA in the AD DNS Domain then Single Sign On from Windows users will not 
> work, as AD will consider all request for tickets to those servers as 
> requests for itself and will never return referrals to the freeIPA KDCs for 
> those TGS requests, so clients will not be able to get tickets for those 
> servers. 
> 
>> 4. Single Signon to the Linux servers using AD credentials will still 
>> work
> 
> No, see above.
> 
>> 5. (BONUS) I could even let AD trust user accounts created in FreeIPA?
> 
> Not clear what you mean here. If you mean that IPA user accounts can operate 
> in the Windows domain, the answer is technicaly yes, although because we do 
> not expose (yet) a Global Catalog to the Windows AD servers, it will be hard 
> to set ACLs on the Windows side to actually authorize freeIPA users to login 
> to AD managed computers (it can probably be done via CLI, but not through AD 
> administrative UIs).
> We plan to fix this in the near future by providing a GC service.
> 
> 
> HTH,
> Simo.
> 
> --
> Simo Sorce * Red Hat, Inc * New York
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to