OK, I know this is an old thread, but I just got a new idea.
What if I create a NT4 style domain on our SAMBA servers, So I have a Samba NT4 style PDC. Then I create a NT4 style trust with the AD domain. This way, I don't use kerberos nor DNS SRV records, both of which are needed if I would go the AD route. But now, users from the AD domain can access Samba shares. Correct? Fred On Wed, Jul 3, 2013 at 4:19 PM, Alexander Bokovoy <[email protected]>wrote: > On Wed, 03 Jul 2013, Fred van Zwieten wrote: > >1. Do you have the same realms for both IPA and AD? > >Yes. > > > >2. Do you have exactly same DNS domains for both IPA and AD? > >Also yes. Because of this we must, for now, maintain 2 seperate DNS > >implementations: one for AD and one for IPA, because otherwise the service > >records would name-clash. > > > >If I get correctly from the above description, your new RHEL 6.4 server > >is enrolled into IPA domain, i.e. its host keytab contains keys to > >the host service coming from IPA KDC. It probably also uses SSSD in both > >nsswitch and PAM configurations? > >Correct! > > > >Are you planning to use pam_winbind/nss_winbind for the Samba/AD > >interoperability? > >I don't know yet. It depends on what works best with this setup. I am not > >(yet) a Samba wunderguy, so these discussions help me (thanks for that). > I'm not sure that this configuration will work flawlessly. > > If the host is not enrolled to IPA realm, you can easily make it > working against AD domain. If you enrolled the host to IPA realm which > is exactly same as AD domain, both DNS and krb5.conf collisions will be > creating quite serious issues. Basically, it is 'either - either' case. > > -- > / Alexander Bokovoy >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
