Hi,
I'm wondering if anyone else has done something similar to us, and if so am wondering how you went about it or if it is indeed at all possible. Our situation is: * We have a few VMs which are domain joined to "internal.local" which is an Active Directory domain that we have no control over or administrative access * We would like to install IPA on these VMs (replicated, with named for DNS) with a separate domain called "dev.zone" * Authentication to the VM itself via SSH should be carried out against "internal.local" still – we will point our own services that we are going to install like GitLab directly at the IPA server * "dev.zone" will be setup as a conditional forwarder on the Active Directory domain pointing at the IPA-installed named-pkcs11 service to do resolution for this domain My initial findings are that IPA installs fine but it changes some things in /etc/krb5.conf like: * Adding in "dev.zone" realm * Modifies the "default_realm" to be "dev.zone" * Leaves the "[realm]" definition for "internal.local" but empties it of the "kdc" and "admin_server" definitions * Removes the kerberos tickets for "internal.local" that were in "net ads keytab list" This ultimately results in IPA working fine but authentication to the server via SSH no longer works as it's looking to "dev.zone" now. Is it possible to achieve what we're wanting to do? Can these two things co-exist peacefully? Cheers, Doug Wipro Limited (Company Regn No in UK FC 019088) Address: Level 2, West wing, 3 Sheldon Square, London W2 6PS, United Kingdom. Tel +44 20 7432 8500 Fax: +44 20 7286 5703 VAT Number: 563 1964 27 (Branch of Wipro Limited (Incorporated in India at Bangalore with limited liability vide Reg no L99999KA1945PLC02800 with Registrar of Companies at Bangalore, India. Authorized share capital Rs 5550 mn)) Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
