On Mon, 2017-05-22 at 10:17 +0000, doug.ke...@wipro.com wrote: > Hi, > > > I'm wondering if anyone else has done something similar to us, and if so am > wondering how you went about it or if it is indeed at all possible. > > > Our situation is: > > > * We have a few VMs which are domain joined to "internal.local" which is > an Active Directory domain that we have no control over or administrative > access > * We would like to install IPA on these VMs (replicated, with named for > DNS) with a separate domain called "dev.zone" > * Authentication to the VM itself via SSH should be carried out against > "internal.local" still – we will point our own services that we are going to > install like GitLab directly at the IPA server > * "dev.zone" will be setup as a conditional forwarder on the Active > Directory domain pointing at the IPA-installed named-pkcs11 service to do > resolution for this domain > > > My initial findings are that IPA installs fine but it changes some things in > /etc/krb5.conf like: > > > * Adding in "dev.zone" realm > * Modifies the "default_realm" to be "dev.zone" > * Leaves the "[realm]" definition for "internal.local" but empties it of > the "kdc" and "admin_server" definitions > * Removes the kerberos tickets for "internal.local" that were in "net ads > keytab list" > > > This ultimately results in IPA working fine but authentication to the server > via SSH no longer works as it's looking to "dev.zone" now. > > > Is it possible to achieve what we're wanting to do? Can these two things > co-exist peacefully?
Doug, it may be possible with custom scripts, but it will probably not be a very stable solution as upgrades may change things in unexpected ways. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org