Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Greetings! Thanks for clarifying. That makes more sense now. I'm still not sure what sorts of headaches I would be running into if I do have FreeIPA and AD both managing servers in the company.com domain. Somehow I need to find out if these are just mild headaches, or if they are incapacitating migraines that will drive us all insane. --David Alston -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Thursday, August 04, 2016 4:31 AM To: Alston, David Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain On Wed, 2016-08-03 at 15:22 -0500, Alston, David wrote: > Greetings! > > >> 2. Active Directory must never know anything about a DNS domain > > >> freeipa.company.com (I'm not sure why) > > > Correct because if that happened then AD considers the whole > subdomain as part of its realm and trust routing will not work. > > > Doesn't that mean that we have to have the FreeIPA servers on their > own DNS domain again? No, you can use the Windows DNS, DNS management != AD Domain, what matters is that AD never had that DNS name as a child domain, with computer objects in it. > So we can't have linux-server.company.com and > windows-server.company.com (managed by FreeIPA and AD respectively) > because there has to be a SOA for .company.com somewhere and that is > already managed by AD (in our environment). No you can't have this (if you want SSO and avoid headaches in general) no matter what you do. You have to keep server names on separate (sub)domains. In some cases you can use CNAMEs though. > Also, thanks for your other answers. They were very helpful :^) You are welcome, Simo. > --David Alston > > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Wednesday, August 03, 2016 2:13 PM > To: Alston, David > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS > domain > > On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: > > Greetings! > > > > > > That sounds like great news! Just to make sure I understand > > correctly.. > > > > > > 1. Any server managed by FreeIPA must NEVER have had a computer > > object > > > associated with them in AD? (even if it has now been deleted) > > No, what a random server does or has done is irrelevant in this sense, but > see later, for caveats. > > > 2. Active Directory must never know anything about a DNS domain > > > freeipa.company.com (I'm not sure why) > > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. > > > 3. My linux servers being managed by FreeIPA can still have the DNS > > > domain company.com (instead of servername.freeipa.company.com) > > Although the strict answer is yes, if you put a linux server joined to > freeIPA in the AD DNS Domain then Single Sign On from Windows users will not > work, as AD will consider all request for tickets to those servers as > requests for itself and will never return referrals to the freeIPA KDCs for > those TGS requests, so clients will not be able to get tickets for those > servers. > > > 4. Single Signon to the Linux servers using AD credentials will > > still > > > work > > > No, see above. > > > 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? > > > Not clear what you mean here. If you mean that IPA user accounts can operate > in the Windows domain, the answer is technicaly yes, although because we do > not expose (yet) a Global Catalog to the Windows AD servers, it will be hard > to set ACLs on the Windows side to actually authorize freeIPA users to login > to AD managed computers (it can probably be done via CLI, but not through AD > administrative UIs). > We plan to fix this in the near future by providing a GC service. > > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On Wed, 2016-08-03 at 15:22 -0500, Alston, David wrote: > Greetings! > > >> 2. Active Directory must never know anything about a DNS domain > > >> freeipa.company.com (I'm not sure why) > > > Correct because if that happened then AD considers the whole > subdomain as part of its realm and trust routing will not work. > > > Doesn't that mean that we have to have the FreeIPA servers on their > own DNS domain again? No, you can use the Windows DNS, DNS management != AD Domain, what matters is that AD never had that DNS name as a child domain, with computer objects in it. > So we can't have linux-server.company.com and > windows-server.company.com (managed by FreeIPA and AD respectively) > because there has to be a SOA for .company.com somewhere and that is > already managed by AD (in our environment). No you can't have this (if you want SSO and avoid headaches in general) no matter what you do. You have to keep server names on separate (sub)domains. In some cases you can use CNAMEs though. > Also, thanks for your other answers. They were very helpful :^) You are welcome, Simo. > --David Alston > > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Wednesday, August 03, 2016 2:13 PM > To: Alston, David > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain > > On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: > > Greetings! > > > > > > That sounds like great news! Just to make sure I understand > > correctly.. > > > > > > 1. Any server managed by FreeIPA must NEVER have had a computer object > > > associated with them in AD? (even if it has now been deleted) > > No, what a random server does or has done is irrelevant in this sense, but > see later, for caveats. > > > 2. Active Directory must never know anything about a DNS domain > > > freeipa.company.com (I'm not sure why) > > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. > > > 3. My linux servers being managed by FreeIPA can still have the DNS > > > domain company.com (instead of servername.freeipa.company.com) > > Although the strict answer is yes, if you put a linux server joined to > freeIPA in the AD DNS Domain then Single Sign On from Windows users will not > work, as AD will consider all request for tickets to those servers as > requests for itself and will never return referrals to the freeIPA KDCs for > those TGS requests, so clients will not be able to get tickets for those > servers. > > > 4. Single Signon to the Linux servers using AD credentials will still > > > work > > > No, see above. > > > 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? > > > Not clear what you mean here. If you mean that IPA user accounts can operate > in the Windows domain, the answer is technicaly yes, although because we do > not expose (yet) a Global Catalog to the Windows AD servers, it will be hard > to set ACLs on the Windows side to actually authorize freeIPA users to login > to AD managed computers (it can probably be done via CLI, but not through AD > administrative UIs). > We plan to fix this in the near future by providing a GC service. > > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On 3.8.2016 22:22, Alston, David wrote: > Greetings! > >>> 2. Active Directory must never know anything about a DNS domain >>> freeipa.company.com (I'm not sure why) >> Correct because if that happened then AD considers the whole subdomain as >> part of its realm and trust routing will not work. > > Doesn't that mean that we have to have the FreeIPA servers on their own DNS > domain again? So we can't have linux-server.company.com and > windows-server.company.com (managed by FreeIPA and AD respectively) because > there has to be a SOA for .company.com somewhere and that is already managed > by AD (in our environment). The problem is not at DNS level but at Kerberos level. Anyway, this is in depth described on http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ I hope it helps. Petr^2 Spacek > > --David Alston > > > -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Wednesday, August 03, 2016 2:13 PM > To: Alston, David > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain > > On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: >> Greetings! >> >> That sounds like great news! Just to make sure I understand >> correctly.. >> >> 1. Any server managed by FreeIPA must NEVER have had a computer object >> associated with them in AD? (even if it has now been deleted) > No, what a random server does or has done is irrelevant in this sense, but > see later, for caveats. > >> 2. Active Directory must never know anything about a DNS domain >> freeipa.company.com (I'm not sure why) > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. > >> 3. My linux servers being managed by FreeIPA can still have the DNS >> domain company.com (instead of servername.freeipa.company.com) > Although the strict answer is yes, if you put a linux server joined to > freeIPA in the AD DNS Domain then Single Sign On from Windows users will not > work, as AD will consider all request for tickets to those servers as > requests for itself and will never return referrals to the freeIPA KDCs for > those TGS requests, so clients will not be able to get tickets for those > servers. > >> 4. Single Signon to the Linux servers using AD credentials will still >> work > > No, see above. > >> 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? > > Not clear what you mean here. If you mean that IPA user accounts can operate > in the Windows domain, the answer is technicaly yes, although because we do > not expose (yet) a Global Catalog to the Windows AD servers, it will be hard > to set ACLs on the Windows side to actually authorize freeIPA users to login > to AD managed computers (it can probably be done via CLI, but not through AD > administrative UIs). > We plan to fix this in the near future by providing a GC service. > > > HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Greetings! >> 2. Active Directory must never know anything about a DNS domain >> freeipa.company.com (I'm not sure why) > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. Doesn't that mean that we have to have the FreeIPA servers on their own DNS domain again? So we can't have linux-server.company.com and windows-server.company.com (managed by FreeIPA and AD respectively) because there has to be a SOA for .company.com somewhere and that is already managed by AD (in our environment). Also, thanks for your other answers. They were very helpful :^) --David Alston -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Wednesday, August 03, 2016 2:13 PM To: Alston, David Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: > Greetings! > > That sounds like great news! Just to make sure I understand correctly.. > > 1. Any server managed by FreeIPA must NEVER have had a computer object > associated with them in AD? (even if it has now been deleted) No, what a random server does or has done is irrelevant in this sense, but see later, for caveats. > 2. Active Directory must never know anything about a DNS domain > freeipa.company.com (I'm not sure why) Correct because if that happened then AD considers the whole subdomain as part of its realm and trust routing will not work. > 3. My linux servers being managed by FreeIPA can still have the DNS > domain company.com (instead of servername.freeipa.company.com) Although the strict answer is yes, if you put a linux server joined to freeIPA in the AD DNS Domain then Single Sign On from Windows users will not work, as AD will consider all request for tickets to those servers as requests for itself and will never return referrals to the freeIPA KDCs for those TGS requests, so clients will not be able to get tickets for those servers. > 4. Single Signon to the Linux servers using AD credentials will still > work No, see above. > 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? Not clear what you mean here. If you mean that IPA user accounts can operate in the Windows domain, the answer is technicaly yes, although because we do not expose (yet) a Global Catalog to the Windows AD servers, it will be hard to set ACLs on the Windows side to actually authorize freeIPA users to login to AD managed computers (it can probably be done via CLI, but not through AD administrative UIs). We plan to fix this in the near future by providing a GC service. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: > Greetings! > > That sounds like great news! Just to make sure I understand correctly.. > > 1. Any server managed by FreeIPA must NEVER have had a computer object > associated with them in AD? (even if it has now been deleted) No, what a random server does or has done is irrelevant in this sense, but see later, for caveats. > 2. Active Directory must never know anything about a DNS domain > freeipa.company.com (I'm not sure why) Correct because if that happened then AD considers the whole subdomain as part of its realm and trust routing will not work. > 3. My linux servers being managed by FreeIPA can still have the DNS domain > company.com (instead of servername.freeipa.company.com) Although the strict answer is yes, if you put a linux server joined to freeIPA in the AD DNS Domain then Single Sign On from Windows users will not work, as AD will consider all request for tickets to those servers as requests for itself and will never return referrals to the freeIPA KDCs for those TGS requests, so clients will not be able to get tickets for those servers. > 4. Single Signon to the Linux servers using AD credentials will still work No, see above. > 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? Not clear what you mean here. If you mean that IPA user accounts can operate in the Windows domain, the answer is technicaly yes, although because we do not expose (yet) a Global Catalog to the Windows AD servers, it will be hard to set ACLs on the Windows side to actually authorize freeIPA users to login to AD managed computers (it can probably be done via CLI, but not through AD administrative UIs). We plan to fix this in the near future by providing a GC service. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Greetings! That sounds like great news! Just to make sure I understand correctly.. 1. Any server managed by FreeIPA must NEVER have had a computer object associated with them in AD? (even if it has now been deleted) 2. Active Directory must never know anything about a DNS domain freeipa.company.com (I'm not sure why) 3. My linux servers being managed by FreeIPA can still have the DNS domain company.com (instead of servername.freeipa.company.com) 4. Single Signon to the Linux servers using AD credentials will still work 5. (BONUS) I could even let AD trust user accounts created in FreeIPA? --David Alston -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Wednesday, August 03, 2016 1:28 PM To: Alston, David Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote: > Greetings! > > Everyone seems to say that you can't have a domain trust across two > Kerberos realms (FreeIPA and Active Directory) if the hosts share the same > DNS domain. > > Hadoop seems to do this just fine, though. I'm in the process of > helping someone setup a trust between the Kerberos realms > HADOOP.COMPANY.COM and COMPANY.COM and all of the servers use the > company.com DNS domain. (see > http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Secur > ity-Guide/cdh4sg_topic_15.html) > > This seems to be standard practice for setting up hadoop clusters. Why > wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts > COMPANY.COM (with all involved servers having the "company.com" DNS domain)? > As I understand it, the Kerberos realm FreeIPA uses can be specified during > the initial setup and it doesn't have to match the domain. > > --David Alston > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project You can have a Realm named COMPANY.COM (AD) and a Realm named FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer objects or subdomains in the DNS domain freeipa.company.com in it. If that's the case you can create a 1 way or 2 way trust between the 2 forests without issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote: > Greetings! > > Everyone seems to say that you can't have a domain trust across two > Kerberos realms (FreeIPA and Active Directory) if the hosts share the same > DNS domain. > > Hadoop seems to do this just fine, though. I'm in the process of > helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM > and COMPANY.COM and all of the servers use the company.com DNS domain. (see > http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html) > > This seems to be standard practice for setting up hadoop clusters. Why > wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts > COMPANY.COM (with all involved servers having the "company.com" DNS domain)? > As I understand it, the Kerberos realm FreeIPA uses can be specified during > the initial setup and it doesn't have to match the domain. > > --David Alston > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project You can have a Realm named COMPANY.COM (AD) and a Realm named FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer objects or subdomains in the DNS domain freeipa.company.com in it. If that's the case you can create a 1 way or 2 way trust between the 2 forests without issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and AD trusts on the same DNS domain
Greetings! Everyone seems to say that you can't have a domain trust across two Kerberos realms (FreeIPA and Active Directory) if the hosts share the same DNS domain. Hadoop seems to do this just fine, though. I'm in the process of helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM and COMPANY.COM and all of the servers use the company.com DNS domain. (see http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html) This seems to be standard practice for setting up hadoop clusters. Why wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts COMPANY.COM (with all involved servers having the "company.com" DNS domain)? As I understand it, the Kerberos realm FreeIPA uses can be specified during the initial setup and it doesn't have to match the domain. --David Alston -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project