#3923 ipa trust-add should not create a trust if IPA realm and domain name differ
Closed: Fixed None Opened 10 years ago by sbose.

AD implicitly assumes that the DNS domain name and the realm of a trusted domain are the same. This means that a trust will never work if IPA is configured with different realm and domain name.

Currently ipa trust-add will just run successfully and create all needed objects on the IPA and AD side. ipa trust-add should check the IPA configuration at first and stop if domain name and realm do not match (case may differ of course).


Is there any workaround? Or some manual procedure how to configure AD to support this case?

If not, I think we should also give big fat warning to ipa-server-install warning users that AD trust will not be possible if domain and realm is different.

I'm not aware of a workaround. For AD the domain name and the realm are basically the same.

Using a replica with a different domain as Dmitri suggested might work but would need careful testing and would add a new dimension to the regression testing for every new release. I think we should no support this configuration because it is rare and in general (not only in the IPA case) is it always recommended to choose the realm as the upper-cased DNS domain name.

Metadata Update from @sbose:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3.x - 2013/09 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata