<div dir="ltr"><div>the client picks Realm based on the domain name of the host. you can control the behavior on the client via the KRB5.conf but the assumption is you have 1 realm per domain or host. From man krb5.conf " DOMAIN_REALM SECTION The [domain_realm] section provides a translation from a hostname to the Kerberos realm name for the services provided by that host. The tag name can be a hostname, or a domain name, where domain names are indicated by a prefix of a period (â.â) character. The value of the relation is the Kerberos realm name for that particular host or domain. Host names and domain names should be in lower case. If no translation entry applies, the hostâs realm is considered to be the hostnameâs domain portion converted to upper case. For example, the following [domain_realm] section: [domain_realm] .<a href="http://mit.edu">mit.edu</a> = <a href="http://ATHENA.MIT.EDU">ATHENA.MIT.EDU</a> <a href="http://mit.edu">mit.edu</a> = <a href="http://ATHENA.MIT.EDU">ATHENA.MIT.EDU</a> <a href="http://dodo.mit.edu">dodo.mit.edu</a> = <a href="http://SMS_TEST.MIT.EDU">SMS_TEST.MIT.EDU</a> .<a href="http://ucsc.edu">ucsc.edu</a> = <a href="http://CATS.UCSC.EDU">CATS.UCSC.EDU</a> maps <a href="http://dodo.mit.edu">dodo.mit.edu</a> into the <a href="http://SMS_TEST.MIT.EDU">SMS_TEST.MIT.EDU</a> realm, all other hosts in the <a href="http://MIT.EDU">MIT.EDU</a> domain to the <a href="http://ATHENA.MIT.EDU">ATHENA.MIT.EDU</a> realm, and all hosts in the <a href="http://UCSC.EDU">UCSC.EDU</a> domain into the <a href="http://CATS.UCSC.EDU">CATS.UCSC.EDU</a> realm. <a href="http://ucbvax.berkeley.edu">ucbvax.berkeley.edu</a> would be mapped by the default rules to the <a href="http://BERKELEY.EDU">BERKELEY.EDU</a> realm, while <a href="http://sage.lcs.mit.edu">sage.lcs.mit.edu</a> would be mapped to the <a href="http://LCS.MIT.EDU">LCS.MIT.EDU</a> realm. " </div>Also the question of trusts is really an issue with cpaths but there is also a compatibility issue betwean the AD Kerberos server and MIT's. its doable with Heimdal kerberos Servers but FreeIPA is not compatible with Heimdal </div><div class="gmail_extra"> <div class="gmail_quote">On Wed, May 8, 2013 at 3:38 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im">On 05/08/2013 03:21 PM, Johnny Westerlund wrote: > I was guessing as much, > I'ts just that all the existing servers are allready in an existing domain. > And changing hostnames / fqdn's for all those hosts would hurt. > > > The DNS "discover" process of the REALM is that based on the fqdn of the principal or is it based on the kerberos realm name? > > example principal: host/<a href="mailto:host1.foo.bar@EXAMPLE.COM">host1.foo.bar@EXAMPLE.COM</a> > > When trying to discover a KDC by DNS, does it look for the various SRV/TXT like _kerberos._tcp in the foo.bar domain or in the <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> domain? </div>It is based on the DNS name. It does to the DNS server and asks for SRV records that provide a particular type of service (LDAP, Kerberos ,etc.) It has nothing to do with the Kerberos realm and principal. <div class="HOEnZb"><div class="h5"> > > > ________________________________________ > From: Simo Sorce [<a href="mailto:simo@redhat.com">simo@redhat.com</a>] > Sent: Wednesday, May 08, 2013 9:06 PM > To: Johnny Westerlund > Cc: <a href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] Two kerberos realms for same domainname? > > On Wed, 2013-05-08 at 16:41 +0000, Johnny Westerlund wrote: >> Hi all >> >> I'm planning implementing a IPA server at a site where there is >> allready a working Active directory domain. >> I would still like the machines from AD and IPA live in the same DNS >> domain. >> >> >> Example. >> AD Domainname = foo.bar >> AD KERBEROS realm = FOO.BAR >> a Host principal would look like: host/host1.foo.bar@FOO.BAR >> >> >> Now i would like to introduce the IPA server under a different realm >> name but for the same DNS name. >> >> >> IPA domainname = foo.bar >> IPA KERBEROS realm = LINUX.FOO.BAR (or what ever) >> a Host principal would look like: host/host2.foo.bar@LINUX.FOO.BAR >> >> >> So basicly i would register the hostnames / PTR records in the >> microsoft DNS and use the IPA kerberos REALM for authentication. >> >> >> Am i making any sense? is this asking for a world of hurt? > It is possible, and it will hurt. > > You will not be able to use trusts between AD and IPA. > You will not be able to use Kerberos between Windows client and Linux > Servers and vice-versa. > > I personally discourage people from doing this if they can and instead > delegate (or just forward on both sides) a subdomain (like ipa.foo.bar) > to ipa for all the ipa hosts (server.ipa.foo.bar, > clientX.ipa.foo.bar ...) > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > _______________________________________________ > Freeipa-users mailing list > <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></div><div class="im HOEnZb">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </div><div class="HOEnZb"><div class="h5">_______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </div></div></blockquote></div> </div>