Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-14 Thread Sigbjorn Lie
On 03/08/2012 01:40 PM, Sylvain Angers wrote: Does anyone was successful to hook their HP ilo, RHEV manager to IPA? I've connected IPA to the RHEV manager, yes. It works fine. However it seem to require lookup up dns srv records to find the IPA servers, so I don't think it works unless you

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Rob Crittenden
Sylvain Angers wrote: 2012/3/8 Brian Cook mailto:bc...@redhat.com>> Also, I would not use 'delegation record' from AD, use conditional forwarding for *.unix.abcd.ca . Your AD admins should know how to do it. --- Brian Cook Solutions Architect, Red

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Dmitri Pal
On 03/13/2012 02:59 PM, Sylvain Angers wrote: > > > 2012/3/8 Brian Cook mailto:bc...@redhat.com>> > > Also, I would not use 'delegation record' from AD, use conditional > forwarding for *.unix.abcd.ca . Your AD > admins should know how to do it. > > --- > B

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-13 Thread Sylvain Angers
2012/3/8 Brian Cook > Also, I would not use 'delegation record' from AD, use conditional > forwarding for *.unix.abcd.ca. Your AD admins should know how to do it. > > --- > Brian Cook > Solutions Architect, Red Hat, Inc. > 407-212-7079 > > > > > On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote: > >

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Brian Cook
Also, I would not use 'delegation record' from AD, use conditional forwarding for *.unix.abcd.ca. Your AD admins should know how to do it. --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote: > On Thu, 2012-03-08 at 11:54 -0500, Sylvai

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Brian Cook
If your AD realm is ABCD.CA and you want your unix realm to be UNIX.ABCD.CA then your FQDN should be ipaserver.unix.abcd.ca When you delegate the zone from AD, you should have at least two IPA servers running bind listed. ipaserver1.unix.abcd.ad ipaserver2.unix.abcd.ad That way if one is dow

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Simo Sorce
On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote: > Alright! > > I am now requesting to our DNS team > > please delegate dns zone "unix.abcd.ca" to ??? the ip address of your ipa server, they will know what questions to ask :) > Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers
Alright! I am now requesting to our DNS team please delegate dns zone "unix.abcd.ca" to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce > On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: > > Hi Again > >

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Simo Sorce
On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: > Hi Again > Our current Linux/AIX servers fqdn should remain on abcd.ca domain > > I need an advice: Should the ipa server fqdn be ipa.abcd.ca or > ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you ca

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers
Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? domain unix.abcd.ca search unix.abcd.ca

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-08 Thread Sylvain Angers
>is abcd.ca your windows domain ? yes in this example ipa-server-install -a xx \ --hostname=ipa1.unix.abcd.ca \ -n unix.abcd.ca \ -p xxx \ -r UNIX.ABCD.CA \ --subject=subject_DN \ #Sets the base element for the subject DN of the issued certif

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Ondrej Valousek
Side note: You can manage AD integrated DNS from unix host easily with just 'nsupdate -g' - so theoretically (ok I undestand you have to have a proper Kerberos TGT...) IPA client could be able to autoconfigure (create all the necessary SRV records) AD DNS, too. Not sure if we even wanted that. b

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Simo Sorce
On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote: > > Hello All, > We are facing the same difficulties here with coexistence with > Microsoft AD > on the same network > > Whenever I run ipa-client-install > > # ipa-client-install --server=server.abcd.ca --domain=abcd.ca > --realm=UNIX > D

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-03-07 Thread Sylvain Angers
2012/2/23 Simo Sorce > On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote: > > I would not expect that there would be any problem with AD and IPA > > coexisting when the realm names are different, but I have heard > > reports that there are problems, especially when Linux clients are > > configu

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Simo Sorce
On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote: > I would not expect that there would be any problem with AD and IPA > coexisting when the realm names are different, but I have heard > reports that there are problems, especially when Linux clients are > configured to use AD for DNS. Trying to

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Craig T
pecialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > From: Craig T [free...@noboost.org] > Sent: Friday, 24 February 2012 3:27 p.m. > To: Brian Cook > Cc: Steven Jones; freeipa-users@redhat.c

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones
Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones
oria University, Wellington, NZ 0064 4 463 6272 From: Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 3:12 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence I would not expect that the

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Craig T
Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers & a master DNS for "group.example.com". All PCs point to our Linux DNS serve

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Brian Cook
I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delega

Re: [Freeipa-users] need info on AD / IPA coexistence

2012-02-23 Thread Steven Jones
Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at