Re: [Freeipa-users] Choosing the right way to create trust
On 12.2.2014 21:49, Genadi Postrilko wrote: Client's local hostname must match the DNS A record? I would recommend you to try it and report results. We can't be sure what will happen (in Kerberos libraries and applications) until you try that. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
Client's local hostname must match the DNS A record? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote: > On 12.2.2014 11:32, Alexander Bokovoy wrote: > >On Wed, 12 Feb 2014, Genadi Postrilko wrote: > >>What about adding alias DNS record of hostname.ipa.zone.corp to all linux > >>machines, so they will keep the old FQDM. > >What would it give to you? > > > >AD DC uses FQDN to decide which KDC is responsible to issue TGT (and > >other tickets). If it belongs to its own DNS domain, no attempt to issue > >cross-realm TGT will be done and Windows users will never get tickets to > >services running on these IPA machines. > > > >You would really need to address IPA machines by their host names in > >ipa.zone.corp domain and never by .zone.corp. At this point there is no > >need to keep them in .zone.corp. > > Good point. May be that CNAMEs from old name to the new name (in IPA > sub-tree) could solve your problem. Kerberos usually follows chain > of CNAMEs so it should work. This might work on the DNS level but the local hostname must match as well, because services like e.g. sshd will search their keytab entries with the help of the local hostname. It might be possible to configure the services to use other keytab entries but I think it would be easier to just move all hosts to a new domain then touching the configuration of every single service. bye, Sumit > > Petr^2 Spacek > > >>On Feb 12, 2014 10:49 AM, "Martin Kosek" wrote: > >> > >>>On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. > >From what ive read at > > >>>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html > >>> > >>>, > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope > >>>not). > > Any advice? > >>> > >>>The key here is that for IPA and AD to be able to work together in a trust, > >>>they need to be in separate domains with realm matching this domains. In > >>>your > >>>case, it seems to me that a following scenario would work the best: > >>> > >>>* AD with domain zone.corp and realm ZONE.CORP > >>>* IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP > >>> > >>>Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated > >>>from the AD DNS (or other DNS you use). > >>> > >>>More info here: > >>>http://www.freeipa.org/page/Trusts > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On 12.2.2014 11:32, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its own DNS domain, no attempt to issue cross-realm TGT will be done and Windows users will never get tickets to services running on these IPA machines. You would really need to address IPA machines by their host names in ipa.zone.corp domain and never by .zone.corp. At this point there is no need to keep them in .zone.corp. Good point. May be that CNAMEs from old name to the new name (in IPA sub-tree) could solve your problem. Kerberos usually follows chain of CNAMEs so it should work. Petr^2 Spacek On Feb 12, 2014 10:49 AM, "Martin Kosek" wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. >>From what ive read at > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope not). > > Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its own DNS domain, no attempt to issue cross-realm TGT will be done and Windows users will never get tickets to services running on these IPA machines. You would really need to address IPA machines by their host names in ipa.zone.corp domain and never by .zone.corp. At this point there is no need to keep them in .zone.corp. On Feb 12, 2014 10:49 AM, "Martin Kosek" wrote: On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. >>From what ive read at > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html , > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope not). > > Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. On Feb 12, 2014 10:49 AM, "Martin Kosek" wrote: > On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > > I work in environment where the AD is the DC of the windows machines , > > while the linux machines (RHEL 5\6) are not centrally managed. > > I would like to create an IPA server to manage the linux machines while > > creating a trust with AD. > > The current situation is all windows and linux machines are under > > .zone.corp domain. > >>From what ive read at > > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html > , > > i can create trust when IPA is a subdomain of AD domain or when the > > domains are separate. I'm not sure what is the method i should approach. > > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > > linux and then move all the linux machines to the new domain (I hope > not). > > > > Any advice? > > The key here is that for IPA and AD to be able to work together in a trust, > they need to be in separate domains with realm matching this domains. In > your > case, it seems to me that a following scenario would work the best: > > * AD with domain zone.corp and realm ZONE.CORP > * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP > > Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated > from the AD DNS (or other DNS you use). > > More info here: > http://www.freeipa.org/page/Trusts > > Martin > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. >>From what ive read at > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html, > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope not). > > Any advice? The key here is that for IPA and AD to be able to work together in a trust, they need to be in separate domains with realm matching this domains. In your case, it seems to me that a following scenario would work the best: * AD with domain zone.corp and realm ZONE.CORP * IPA with domain ipa.zone.corp and realm IPA.ZONE.CORP Ideally, IPA should have DNS installed and have the ipa.zone.corp delegated from the AD DNS (or other DNS you use). More info here: http://www.freeipa.org/page/Trusts Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Choosing the right way to create trust
On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The current situation is all windows and linux machines are under > .zone.corp domain. > >From what ive read at > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide.html, > i can create trust when IPA is a subdomain of AD domain or when the > domains are separate. I'm not sure what is the method i should approach. > Can IPA be a dc inside the AD domain? Or should i create a subdomain for > linux and then move all the linux machines to the new domain (I hope not). I'm afraid you have to move the linux machines to a separate domain when you want to use trust. The reason is that Kerberos heavily depends DNS and e.g use the fully qualified host names and DNS SRV records to determine memberships to realm and KDCs in a realm. HTH bye, Sumit > > Any advice? > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users