[Freeipa-users] Master level IPA server
Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com/, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com/. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. So if there is documentation on how to set that up I would appreciate a pointer, I haven’t been able to find it yet. Thanks much! Regards, -- Aric Wilisch awili...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Master level IPA server
On 04/29/2015 08:38 PM, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. So if there is documentation on how to set that up I would appreciate a pointer, I haven't been able to find it yet. Thanks much! Regards, -- Aric Wilisch awili...@gmail.com mailto:awili...@gmail.com You can have one IPA Kerberos realm spanning several zones but the top level domain should be the same as the realm otherwise trust would not work. I think Alexander would have some pointers. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Master level IPA server
On Wed, 29 Apr 2015, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com/, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com/. This is possible. As long as DNS domains of IPA do not overlap with DNS domains of Active Directory deployment, or any other Kerberos realm, things should work. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. You cannot login to Windows machines by authenticating against IPA right now, this is not supported. You can establish cross-forest trust between IPA realm and Active Directory and then login to IPA machines with Active Directory credentials. If this is not what you want, IPA is not yet supporting your case. There isn't enough details to see what is your issue, though. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project