1241714 – Document how to connect Linux clients to IdM with AD trust without requiring DNS zone change for the client

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1241714 - Document how to connect Linux clients to IdM with AD trust without requiring DNS zone change for the client

Summary: Document how to connect Linux clients to IdM with AD trust without requiring ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Windows_Integration_Guide
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Marc Muehlfeld
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:	1320838
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-09 22:29 UTC by Dmitri Pal
Modified:	2019-03-06 00:58 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 08:45:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dmitri Pal 2015-07-09 22:29:11 UTC

I have a customer who is faced with the following dilemma: 

He would like to take advantage of the users and groups in AD and leverage them with IPA/IdM. The problem is that both the AD and the targeted linux boxes are in the same domain. He is not able to change the hostname of the targeted machines due to applications (namely, Oracle) that rely on the hostname, being static, already running on the systems. This is email is in regard to any workarounds for the customer to gain this functionality. 

[+] Here is his latest proposal/query:

...if I have client1.ad.com and I create linux.ad.com in IDM and create the trust between ad.com and linux.ad.com, is it possible to leave client1's hostname as "client1.ad.com" and still have it participate with IDM as client1.linux.ad.com"? 

[+] Also here is another suggestion for a potential workaround:

... temporarily change the hostname, enroll the machine, change SSSD configuration manually to have a proper hostname and then rename the system back.

I am looking for any kind of workaround with those particular set of givens... At this time we are exploring winsync as a solution.

=========================================================

Thanks to Jan, we looked into details of this setup and it looks like it
can be made working -- not for IPA Web UI but for other applications
running on IPA clients. There is a catch, of course.

So there is a way:
  1. Configure IPA to use ipa.example.com DNS zone
  2. Use example.com DNS zone for Active Directory
  3. add CNAMEs in AD DNS zone to point to the actual IPA machine in
     ipa.example.com

As long as you don't do absolute redirects on the IPA client side for
web requests, web clients will properly identify that they need to
obtain a Kerberos ticket for HTTP/webserver.ipa.example.com.COM
and will use cross-forest trust to do so via AD DCs, so single sign-on
will work.

Obviously, your web application on IPA machine must be able to respond
on webserver.example.com name and must have certificates issued for this
name.

Make sure you *DO NOT* add webserver.example.com to IPA DNS via 'ipa
dnsrecord-add' commands or .example.com DNS zone will be marked as
belonging to IPA realm and will conflict with Active Directory
deployment in .example.com.

=====================================

Can we turn this into a documented howto?
A lot of people are asking whether they have to change names for the IPA clients or not.
This will have a significant impact on the adoption as DNS changes are a huge show stopper for some deployments.
Should I open a doc bug?

======================================

Please do. Someone needs to build a lab to verify it, though. We just
ran small experiments, not a full supported test story.

Comment 1 Marc Muehlfeld 2016-05-13 10:45:21 UTC

Design page:
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain

Comment 3 Marc Muehlfeld 2016-06-06 12:43:00 UTC

I have added a new section
   IdM clients in an Active Directory DNS Domain
to the Windows Integration Guide.

Comment 10 Aneta Šteflová Petrová 2016-11-04 08:45:25 UTC

The update is now available on the Customer Portal.

Note You need to log in before you can comment on or make changes to this bug.