Hi folks,

Working on a hairy multiple AD Forest integration issue in AWS and would appreciate a sanity check - I've been wrong so many times about IPA setup and navigating transitive AD trusts so many times I figured it was time to ask questions first before falling on my face again, heh.

After reading the documentation we ended up getting a new domain name to run our IPA server on -- seemed easier than creating and delegating a subdomain off of the primary AD server.

This is what we have:

AD Forest #1:   company-test.org
AD Forest #2:   company-aws.org
IPA Server    :   company-ipa.org

The IPA server at company-ipa.org has successfully created 1-way trusts to the AD servers for company-test.org and company-aws.org

I'm at the point now where I'm ready to try installing IPA clients and have a simple sanity check question:

Can I launch a server in AWS with a hostname of "test.company-aws.org" yet bind it to my IPA server at "ipa.company-ipa.org" so it can manage users etc. ?

I was thinking of a command like:

# ipa-client-install \
   --domain company-aws.org \
   --server ipa.company-ipa.org \
   --realm COMPANY-AWS.ORG

Would appreciate a quick sanity check on if this is possible or supported. The ipa-client-install command is failing ("cant verify that server is an IPA server ..." ) but I'm not sure if it's because I've got a config / DNS / port problem or if I'm (once again) trying to do something stupid with IPA ...


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to