Bug 1241714
| Summary: | Document how to connect Linux clients to IdM with AD trust without requiring DNS zone change for the client | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
| Component: | doc-Windows_Integration_Guide | Assignee: | Marc Muehlfeld <mmuehlfe> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | abokovoy, apetrova, dsirrine, jpazdziora, kbanerje, mmuehlfe, sgoveas, sumenon, tscherf |
| Target Milestone: | rc | Keywords: | Documentation |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 08:45:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1320838 | ||
| Bug Blocks: | |||
I have added a new section IdM clients in an Active Directory DNS Domain to the Windows Integration Guide. The update is now available on the Customer Portal. |
I have a customer who is faced with the following dilemma: He would like to take advantage of the users and groups in AD and leverage them with IPA/IdM. The problem is that both the AD and the targeted linux boxes are in the same domain. He is not able to change the hostname of the targeted machines due to applications (namely, Oracle) that rely on the hostname, being static, already running on the systems. This is email is in regard to any workarounds for the customer to gain this functionality. [+] Here is his latest proposal/query: ...if I have client1.ad.com and I create linux.ad.com in IDM and create the trust between ad.com and linux.ad.com, is it possible to leave client1's hostname as "client1.ad.com" and still have it participate with IDM as client1.linux.ad.com"? [+] Also here is another suggestion for a potential workaround: ... temporarily change the hostname, enroll the machine, change SSSD configuration manually to have a proper hostname and then rename the system back. I am looking for any kind of workaround with those particular set of givens... At this time we are exploring winsync as a solution. ========================================================= Thanks to Jan, we looked into details of this setup and it looks like it can be made working -- not for IPA Web UI but for other applications running on IPA clients. There is a catch, of course. So there is a way: 1. Configure IPA to use ipa.example.com DNS zone 2. Use example.com DNS zone for Active Directory 3. add CNAMEs in AD DNS zone to point to the actual IPA machine in ipa.example.com As long as you don't do absolute redirects on the IPA client side for web requests, web clients will properly identify that they need to obtain a Kerberos ticket for HTTP/webserver.ipa.example.com.COM and will use cross-forest trust to do so via AD DCs, so single sign-on will work. Obviously, your web application on IPA machine must be able to respond on webserver.example.com name and must have certificates issued for this name. Make sure you *DO NOT* add webserver.example.com to IPA DNS via 'ipa dnsrecord-add' commands or .example.com DNS zone will be marked as belonging to IPA realm and will conflict with Active Directory deployment in .example.com. ===================================== Can we turn this into a documented howto? A lot of people are asking whether they have to change names for the IPA clients or not. This will have a significant impact on the adoption as DNS changes are a huge show stopper for some deployments. Should I open a doc bug? ====================================== Please do. Someone needs to build a lab to verify it, though. We just ran small experiments, not a full supported test story.