the documentation states "[...] Client machines do not need to be in the
same domain as FreeIPA servers. For example, FreeIPA may be a domain
ipa.example.com and clients in domain clients.example.com, there just
need to be a clear mapping between DNS domain and Kerberos realm. [...]"
Can clients be registered properly if the clients.example.com domain is
an existing Active Directory domain which - of course - already has
_kerberos entries in DNS?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project