At my company, we are trying to setup a pilot with FreeIPA and we having some 
issues.  We would like to leverage our corporate AD infrastructure which mainly 
lives in "somedom2.com", and is a member of "rootdom1.com" forest.  Note the 
different DNS naming between the root domain and the tree.  Our FreeIPA domain 
is lnx.somedom2.com and is joined to rootdom1.com.  If we create users in 
rootdom1.com, we can use those account on servers joined to lnx.somedom2.com, 
but user accounts under somedom2.com will not work.  Could this be a transitive 
trust issue?  Is there something unique we need to setup on the linux servers 
under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication from 
somedom2.com?

rootdom1.com  (forest root domain)

somedom2.com  (main domain tree, users and groups accounts which need access to 
lnx.somedom2.com)

lnx.somedom2.com  (freeIPA domain, joined to forest rootdom1.com)

-Mike

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to