Re: [Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD
On Wed, 09 Dec 2015, Harald Dunkel wrote: On 12/08/2015 03:08 PM, Petr Spacek wrote: Does https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings answer your questions? Not really. All these documents bring up strings like "ipa.example.com". Sometimes thats a DNS domain, sometimes its a kerberos realm (even though its in lower case letters). The assumption that DNS and realm name match is based upon a recommendation, i.e. you cannot rely upon that. (Not to mention that "example.com" and "ad.example.com" *are* unique.) In Active Directory Kerberos realm is always a capitalized version of the primary DNS domain occupied by this Active Directory domain. My point is: Currently I have a hierarchy between the DNS top level domain "example.com" and the windows DNS domain "ws.example.com". I do not have a hierarchy between the IM solutions for Unix and Windows (currently NIS and AD). Moving from NIS/bind to FreeIPA I would prefer to keep this setup. If this is not possible, then I can live with moving the IPA servers to "ipa.example.com" (DNS), but I cannot change the other DNS subnets. Changing existing host and domain names is *highly* expensive. You can keep own arrangement if it doesn't conflict with your Active Directory deployment's ownership of DNS zones. You are saying ws.example.com is your AD DNS domain. Do you have machines from example.com enrolled into AD? If there are machines from DNS zone example.com in AD, you cannot have IPA deployed in DNS zone example.com because AD will not allow trust between something that claims to own DNS zone AD owns already. It is simple as that. When you create AD deployment, it establishes ownership over the DNS domain which is used to create the deployment. Later, each enrolled computer's DNS domain is added to the list of owned DNS domains. They all would belong to Active Directory and to have some other Active Directory to claim ownership over it would be seen as a conflict. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD
On 12/08/2015 03:08 PM, Petr Spacek wrote: > > Does > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs > > and > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings > > answer your questions? > Not really. All these documents bring up strings like "ipa.example.com". Sometimes thats a DNS domain, sometimes its a kerberos realm (even though its in lower case letters). The assumption that DNS and realm name match is based upon a recommendation, i.e. you cannot rely upon that. (Not to mention that "example.com" and "ad.example.com" *are* unique.) My point is: Currently I have a hierarchy between the DNS top level domain "example.com" and the windows DNS domain "ws.example.com". I do not have a hierarchy between the IM solutions for Unix and Windows (currently NIS and AD). Moving from NIS/bind to FreeIPA I would prefer to keep this setup. If this is not possible, then I can live with moving the IPA servers to "ipa.example.com" (DNS), but I cannot change the other DNS subnets. Changing existing host and domain names is *highly* expensive. I don't care very much about the realm name in Kerberos. IMU thats just a string. IPA.EXAMPLE.COM would be fine, if EXAMPLE.COM is not possible. What would be your suggestion? Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD
On 8.12.2015 13:17, Harald Dunkel wrote: > Hi folks, > > currently I have a DNS domain "example.com" with several > subdomains "s1.example.com", "s2.example.com", etc. (using > NIS for IM). DNServer is bind9. There is a special stub zone > "ws.example.com" provided by AD (including the correct > TXT DNS records). > > Now I would like to move the Unix part to FreeIPA 4.2 > (using integrated DNS) and to build a trust relationship > to AD. I just wonder if this is possible without loosing > the top level "example.com" for both DNS and Kerberos > realm? > > Looking at http://www.freeipa.org/page/Deployment_Recommendations > I got confused by expressions like "directly overlap" and > "same DNS zone level". Obviously "ws.example.com" is on > a different level than "example.com", but do they overlap > "directly"? Does https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings answer your questions? There are some examples in the second document. Petr^2 Spacek > I had the impression that your recommendation is to move > FreeIPA to "ipa.example.com", but will it still be > possible to manage the old "s1.example.com", "s2.example.com", > etc. subdomains in FreeIPA? Will I loose the bind integration? > > > Every helpful comment is highly appreciated. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project