Hello all,
I am confused by some of the conflicting documentation about whether this is possible or
not. Almost all of the documentation/working examples seem to use an actual Windows
Domain Controller. Specifically the part on DNS , as the Samba4 internal DNS server has
several know limitations.
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Limitations|
The internal DNS does not support:
zone transfers
https://wiki.samba.org/index.php/DNS_Administration#Administering_DNS_on_...
Conditional forwarders are not implemented yet
I THINK I got DNS actually working , but had to use solution like here
https://www.redhat.com/archives/freeipa-users/2012-October/msg00194.html
Although Petr says to stay away from forwarders in IPA
Is it better to attempt AD as subdomain of IPA (which I'm currently doing) , or IPA
as subdomain of AD ?
On both samba4 and freeipa machine I can currently dig SRV records for both domains , but
when I attempt ipa add-trust, I see in httpd error logs
[Fri Aug 10 11:58:43.122526 2018] [:error] [pid 6169] ipa: ERROR:
Attempt to solve forest trust topology conflicts
[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169] ipa: ERROR: non-public:
NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
Which leads me to believe that no, DNS is not working correctly ( I have all
firewall/iptables off and selinux off).
I can give more concrete/examples , but before get lost in the weeds wanted to know on
broad consensus is it even possible or known bad issues with Samba AD ?
Like here
https://www.freeipa.org/page/IPAv3_AD_trust#Samba , it says
In order to get properly working MIT krb5-based Samba4 build one have
to use --without-ad-dc --with-system-mitkrb5 options when configuring WAF top level build.
Which I'm confused ... how to get I get AD trust, if I'm setting up samba without
AD abilities??
Yet here
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
It recommends
a. If you have an AD ( Microsoft ) , use it
b. If you don't have a Microsoft AD , setup Samba4
but it can be configured to trust FreeIPA
Does anyone know of a complete A..Z example of how to do that? (what options were used to
configure Samba and Freeipa, etc)
Thanks