<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/12/2016 08:50, Pieter Nagel
wrote:<br>
</div>
<blockquote
cite="mid:%3CCACXVHuZX-A4_Fm9zGjX2cxB6u=ZhVNPKvcNnKV0GpRSPu1i3Ww@mail.gmail.com%3E"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
</div>
</div>
<div class="gmail_extra">Concrete scenario, I wonder if this
will work:</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">A greenfields deployment, no other
kerberos, no Active Directory. Internal DNS to be <a
moz-do-not-send="true" href="http://int.lautus.net"
target="_blank">int.lautus.net</a> and FreeIPA manages that
DNS domain and adds internal hosts to it as they enroll.
Public-facing servers are manually registered in <a
moz-do-not-send="true" href="http://lautus.net"
target="_blank">lautus.net</a> DNS which is hosted
elsewhere. But FreeIPA is installed with realm <a
moz-do-not-send="true" href="http://LAUTUS.NET"
target="_blank">LAUTUS.NET</a> so it adds _kerberos entries
for realm <a moz-do-not-send="true" href="http://LAUTUS.NET"
target="_blank">LAUTUS.NET</a> to <a moz-do-not-send="true"
href="http://int.lautus.net" target="_blank">int.lautus.net</a>,
and I manually copy those entries to <a
moz-do-not-send="true" href="http://lautus.net"
target="_blank">lautus.net</a>, so everone agrees that they
belong to the same realm.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">The reason I want the realm to be <a
moz-do-not-send="true" href="http://LAUTUS.NET"
target="_blank">LAUTUS.NET</a> is because it makes more
sense to me that the internal desktops in the subdomain <a
moz-do-not-send="true" href="http://int.lautus.net"
target="_blank">int.lautus.net</a> to enroll into a realm
related to the parent DNS domain</div>
</div>
</blockquote>
I see a red flag with "desktops". Do you mean Windows desktops? Then
you are talking Active Directory (or the Samba implementation of AD)
and there are very specific rules for how the hostnames and the
realms interact.<br>
<br>
If you are talking Linux/BSD desktops, then it doesn't matter.
Personally I would do it the other way round than you propose: let
machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as
their kerberos realm, because this gives you the *option* of adding
a distinct kerberos realm like AD.LAUTUS.NET later.<br>
<br>
If you ever introduce Active Directory into your network then you
don't want it to be either a subdomain or a parent domain of your
IPA domain, unless you enjoy pain.<br>
<br>
Changing your IPA realm later is also extremely painful.<br>
<br>
<blockquote
cite="mid:%3CCACXVHuZX-A4_Fm9zGjX2cxB6u=ZhVNPKvcNnKV0GpRSPu1i3Ww@mail.gmail.com%3E"
type="cite">
<div dir="ltr">
<div class="gmail_extra">, than it makes sense for the
public-facing servers in the parent <a moz-do-not-send="true"
href="http://lautus.net" target="_blank">lautus.net</a>
domain enroll into a realm related to an internal DNS
subdomain.</div>
</div>
</blockquote>
It's not really a problem. In the DNS you create TXT records:<br>
<br>
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"<br>
_kerberos.int.lautus.net TXT "IPA.LAUTUS.NET"<br>
<br>
and the auto-mapping of hosts to realms just works (in the *nix
world anyway)<br>
<br>
Personally I would have no problem publishing<br>
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"<br>
in the public DNS. It's up to you whether you put *.ipa.lautus.net
and *.int.lautus.net in the public DNS.<br>
<br>
<blockquote
cite="mid:%3CCACXVHuZX-A4_Fm9zGjX2cxB6u=ZhVNPKvcNnKV0GpRSPu1i3Ww@mail.gmail.com%3E"
type="cite">
<div dir="ltr">
<div class="gmail_extra">Or am I making an issue of a cosmetic
triviality, and it is not all all strange in the kerberos
realm to enroll a server into a realm related to a DNS
subdomain it is not part of?</div>
<div class="gmail_extra"><br>
</div>
</div>
</blockquote>
In my opinion, not at all strange. You have three things:<br>
<br>
1. The DNS domain of the host<br>
2. The Kerberos realm that the host is in<br>
3. The DNS domain of the Kerberos realm<br>
<br>
2+3 are bound together, but 1 does not need to relate to 2+3 (unless
you are Microsoft)<br>
<br>
Regards,<br>
<br>
Brian.<br>
</body>
</html>