Greetings!
>> 2. Active Directory must never know anything about a DNS domain
>> freeipa.company.com (I'm not sure why)
> Correct because if that happened then AD considers the whole subdomain as
> part of its realm and trust routing will not work.
Doesn't that mean that we have to have the FreeIPA servers on their own DNS
domain again? So we can't have linux-server.company.com and
windows-server.company.com (managed by FreeIPA and AD respectively) because
there has to be a SOA for .company.com somewhere and that is already managed by
AD (in our environment).
Also, thanks for your other answers. They were very helpful :^)
--David Alston
-----Original Message-----
From: Simo Sorce [mailto:[email protected]]
Sent: Wednesday, August 03, 2016 2:13 PM
To: Alston, David
Cc: [email protected]
Subject: Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain
On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote:
> Greetings!
>
> That sounds like great news! Just to make sure I understand correctly..
>
> 1. Any server managed by FreeIPA must NEVER have had a computer object
> associated with them in AD? (even if it has now been deleted)
No, what a random server does or has done is irrelevant in this sense, but see
later, for caveats.
> 2. Active Directory must never know anything about a DNS domain
> freeipa.company.com (I'm not sure why)
Correct because if that happened then AD considers the whole subdomain as part
of its realm and trust routing will not work.
> 3. My linux servers being managed by FreeIPA can still have the DNS
> domain company.com (instead of servername.freeipa.company.com)
Although the strict answer is yes, if you put a linux server joined to freeIPA
in the AD DNS Domain then Single Sign On from Windows users will not work, as
AD will consider all request for tickets to those servers as requests for
itself and will never return referrals to the freeIPA KDCs for those TGS
requests, so clients will not be able to get tickets for those servers.
> 4. Single Signon to the Linux servers using AD credentials will still
> work
No, see above.
> 5. (BONUS) I could even let AD trust user accounts created in FreeIPA?
Not clear what you mean here. If you mean that IPA user accounts can operate in
the Windows domain, the answer is technicaly yes, although because we do not
expose (yet) a Global Catalog to the Windows AD servers, it will be hard to set
ACLs on the Windows side to actually authorize freeIPA users to login to AD
managed computers (it can probably be done via CLI, but not through AD
administrative UIs).
We plan to fix this in the near future by providing a GC service.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
