On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote: > Greetings! > > Everyone seems to say that you can't have a domain trust across two > Kerberos realms (FreeIPA and Active Directory) if the hosts share the same > DNS domain. > > Hadoop seems to do this just fine, though. I'm in the process of > helping someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM > and COMPANY.COM and all of the servers use the company.com DNS domain. (see > http://www.cloudera.com/documentation/archive/cdh/4-x/4-5-0/CDH4-Security-Guide/cdh4sg_topic_15.html) > > This seems to be standard practice for setting up hadoop clusters. Why > wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts > COMPANY.COM (with all involved servers having the "company.com" DNS domain)? > As I understand it, the Kerberos realm FreeIPA uses can be specified during > the initial setup and it doesn't have to match the domain. > > --David Alston > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project
You can have a Realm named COMPANY.COM (AD) and a Realm named FREEIPA.COMPANY.COM (IPA), as long as the AD Servers never had computer objects or subdomains in the DNS domain freeipa.company.com in it. If that's the case you can create a 1 way or 2 way trust between the 2 forests without issues. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
