On Wed, 07 Sep 2016, Michael ORourke wrote:
At my company, we are trying to setup a pilot with FreeIPA and we
having some issues.  We would like to leverage our corporate AD
infrastructure which mainly lives in "somedom2.com", and is a member of
"rootdom1.com" forest.  Note the different DNS naming between the root
domain and the tree.  Our FreeIPA domain is lnx.somedom2.com and is
joined to rootdom1.com.  If we create users in rootdom1.com, we can use
those account on servers joined to lnx.somedom2.com, but user accounts
under somedom2.com will not work.  Could this be a transitive trust
issue?  Is there something unique we need to setup on the linux servers
under lnx.somedom2.com (sssd.conf or krb5.conf) to allow authentication
from somedom2.com?

rootdom1.com  (forest root domain)

somedom2.com  (main domain tree, users and groups accounts which need access to 
lnx.somedom2.com)

lnx.somedom2.com  (freeIPA domain, joined to forest rootdom1.com)
This configuration should work. There were some issues in SSSD
generating incorrectly CA paths for krb5.conf for some of similar setups
in RHEL 7.2, this should be addressed in the latest RHEL 7.2.z release
and in Fedora 24.

However, in order to debug such cases, you need look into
https://fedorahosted.org/sssd/wiki/Troubleshooting and provide logs that
demonstrate problems you see. Don't forget also to tell freeipa/sssd
versions down to 'rpm -q ...' output.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to