Re: [Freeipa-users] IPA Trusts
Joshua or Erinn, can either of you please help us improve the docs and file a bug for the Windows integration guide, about the section you are concerned with? This is a direct link: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207&component=doc-Windows_Integration_Guide Thank you! Martin On 03/16/2015 09:56 PM, Gould, Joshua wrote: > FWIW, we have IPA working with AD managed DNS. As Alexander mentioned, > you¹ll need to have DNS properly configured. What I¹ve found is the most > critical is having the SRV records properly defined for the AD domain and > the IPA domains. I kind of wish the docs were a bit clearer on which of > the SRV records were needed. Ex. They list ldap but I didn¹t see any > mention of kerberos SRV records. > > On 3/16/15, 3:16 PM, "Erinn Looney-Triggs" > wrote: > >> On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote: >>> On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote: Reading through the RHEL 7.1 documents on setting up a trust between >>> IPA and AD I came across a note that IPA had to be managing DNS in order >>> for this to work. Why is this? Is there any way around this? At this point >>> the DNS IPA would manage is DNSSEC signed and as such can't be managed by >>> IPA, it must be managed separately. >>> >>> It is unfortunate that documentation turns recommendations into a >>> mandatory statements. IPA deployment depends heavily on properly >>> configured DNS and we provide means to maintain DNS server with IPA >>> tools. This, however, doesn't mean DNS is required to be maintained by >>> IPA only. Instead, a properly maintained DNS setup is required, not that >>> it is set up and controlled by IPA means. >>> >>> It is easier in many cases to use IPA-managed DNS but if you know what >>> you are doing, all we ask is to have proper DNS entries in your DNS >>> infrastructure prior to using IPA commands which require these entries >>> to exist (or be created, had the DNS infrastructure been managed by >>> IPA). >> >> Ok thanks, I sort of figured that was probably the case, but I wanted to >> check >> to make sure. >> >> -Erinn > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Trusts
FWIW, we have IPA working with AD managed DNS. As Alexander mentioned, you¹ll need to have DNS properly configured. What I¹ve found is the most critical is having the SRV records properly defined for the AD domain and the IPA domains. I kind of wish the docs were a bit clearer on which of the SRV records were needed. Ex. They list ldap but I didn¹t see any mention of kerberos SRV records. On 3/16/15, 3:16 PM, "Erinn Looney-Triggs" wrote: >On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote: >> On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote: >> >Reading through the RHEL 7.1 documents on setting up a trust between >>IPA >> >and AD I came across a note that IPA had to be managing DNS in order >>for >> >this to work. Why is this? Is there any way around this? At this point >>the >> >DNS IPA would manage is DNSSEC signed and as such can't be managed by >>IPA, >> >it must be managed separately. >> >> It is unfortunate that documentation turns recommendations into a >> mandatory statements. IPA deployment depends heavily on properly >> configured DNS and we provide means to maintain DNS server with IPA >> tools. This, however, doesn't mean DNS is required to be maintained by >> IPA only. Instead, a properly maintained DNS setup is required, not that >> it is set up and controlled by IPA means. >> >> It is easier in many cases to use IPA-managed DNS but if you know what >> you are doing, all we ask is to have proper DNS entries in your DNS >> infrastructure prior to using IPA commands which require these entries >> to exist (or be created, had the DNS infrastructure been managed by >> IPA). > >Ok thanks, I sort of figured that was probably the case, but I wanted to >check >to make sure. > >-Erinn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Trusts
On Monday, March 16, 2015 09:13:56 PM Alexander Bokovoy wrote: > On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote: > >Reading through the RHEL 7.1 documents on setting up a trust between IPA > >and AD I came across a note that IPA had to be managing DNS in order for > >this to work. Why is this? Is there any way around this? At this point the > >DNS IPA would manage is DNSSEC signed and as such can't be managed by IPA, > >it must be managed separately. > > It is unfortunate that documentation turns recommendations into a > mandatory statements. IPA deployment depends heavily on properly > configured DNS and we provide means to maintain DNS server with IPA > tools. This, however, doesn't mean DNS is required to be maintained by > IPA only. Instead, a properly maintained DNS setup is required, not that > it is set up and controlled by IPA means. > > It is easier in many cases to use IPA-managed DNS but if you know what > you are doing, all we ask is to have proper DNS entries in your DNS > infrastructure prior to using IPA commands which require these entries > to exist (or be created, had the DNS infrastructure been managed by > IPA). Ok thanks, I sort of figured that was probably the case, but I wanted to check to make sure. -Erinn signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Trusts
On Mon, 16 Mar 2015, Erinn Looney-Triggs wrote: Reading through the RHEL 7.1 documents on setting up a trust between IPA and AD I came across a note that IPA had to be managing DNS in order for this to work. Why is this? Is there any way around this? At this point the DNS IPA would manage is DNSSEC signed and as such can't be managed by IPA, it must be managed separately. It is unfortunate that documentation turns recommendations into a mandatory statements. IPA deployment depends heavily on properly configured DNS and we provide means to maintain DNS server with IPA tools. This, however, doesn't mean DNS is required to be maintained by IPA only. Instead, a properly maintained DNS setup is required, not that it is set up and controlled by IPA means. It is easier in many cases to use IPA-managed DNS but if you know what you are doing, all we ask is to have proper DNS entries in your DNS infrastructure prior to using IPA commands which require these entries to exist (or be created, had the DNS infrastructure been managed by IPA). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Trusts
Reading through the RHEL 7.1 documents on setting up a trust between IPA and AD I came across a note that IPA had to be managing DNS in order for this to work. Why is this? Is there any way around this? At this point the DNS IPA would manage is DNSSEC signed and as such can't be managed by IPA, it must be managed separately. Thanks, -Erinn signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project