e: [Freeipa-devel] Changing non-admin passwords
Simo Sorce
ssorce at redhat.com
Wed Jul 9 17:09:19 UTC 2008
On Wed, 2008-07-09 at 16:17 +0000, tflipa at radiantpoint.com wrote:
> Our corp. network is running Active Directory, however it is doing so
> at a different realm (XXX.REALM.COM) whereas I have made my realm
> simply (REALM.COM).
>
> I am able to login successfully with my admin account (and its
> appropriate password) and kerberos knows when I have entered the wrong
> password for proguser which tells me the requests are at least going
> to the ipaserver.
>
> Any ideas?
The realm in this case does not matter, DNS do, if the DNS domain is the
same then you are going to be redirected to the windows kpasswd server
if you have DNS lookups enabled.
If that's the case you have 2 ways:
a) statically configure your clients to not do DNS resolution and fix
the IPa server in the ldap and krb configurations
b) use a different DNS domain for IPA related clients/servers (like
getting a delegated dns domain zone where you set SRV records to refer
to IPA and not AD).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list