100% correct. We are OK with losing GSSAPI authentication if we can operate in a different DNS domain than the IPA server that "glues" together all of our various Active Directory trusts. We want password authentication from Active Directory as our main concern with role-based access control coming in as a strong second desire.

The Redhat/IPA documentation and links that Alexander posted below on this are quite good and the issues on our end have generally come from following more generic deployment instructions that don't cover the different-DNS-domain situation.

The quality of technical insight on this list has been fantastic. If our "different DNS" setup is of interest to others I'd be happy to write up our architecture and configurations in more detail once this project settles down. At the very least I should be able to prepare a concise "lessons learned" summary that details the configuration settings that deviate from the norms advised in the more general-purpose instructions.


Alexander Bokovoy wrote:
Apologies I must have been unclear. What I was trying to say is that
we are going for the "hosts in the different DNS domain" deployment scenario ...

- We have unique domain name and realm for IPA:  company-ipa.org
- We use company-aws.org in AWS and have our own Active Directory servers for: company-aws.org - We want to use ipa-client to bind our servers to company-ipa.org but use DNS names from company-aws.org for operation

Our end goal:
- We have many external AD forests we are linking to company-ipa.org one at a time - End goal: operate hosts with DNS name "company-aws.org" as IPA clients of "company-ipa.org" using AD logins coming from the external trusts
This setup should work with password-based authentication. It will not
work with GSSAPI (Kerberos) authentication. I think this is what you are
aware of and accepted as the limitation.

For the benefit of others, here is the list of articles and
documentation of the topic of mixed DNS domains/hostnames with Active

- High-level description:

- Documentation chapter:

- Technical details:

There is nothing we can do with the Active Directory limitations beyond
these documents.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to