[Freeipa-users] Questions from Steven Jones
Steven Jones
Steven.Jones at vuw.ac.nz
Tue May 3 20:26:27 UTC 2011
Hi,
Yes I kind of figured the Kerberos Interaction might be an issue...reading it suggests its clearly better for the IPA master to do the DNS? so its seems logical its a separate stub-zone..?
I have the rare opportunity to design from scratch....as the linux/unix component of our site has no central system at all...but it has to inter-act with AD and windows heavily. Its about a 30% ~70% split...over 500 servers.
What I dont want to have to do is re-configure it all later that would be a nightmare I think....200 servers to change....ikky.
So we have multiple AD zones/domains,
example.ac.nz is the root AD
staff.
student.
For windows AD.
Both sub-domains have passwords I need to get sync off
So I only want one Linux/unix domain....I dont want to split into staff. and student. as that is being removed from our MS AD anyway...
So I want to make it as logical and easy as possible to admin and maintain for our 1 linux admin.
Eventually we will just have example.ac.nz for AD but that's years away......in which case eventually I would have example.ac.nz as AD syncing to unix.example.ac.nz ? as the best solution?
This is better than running IPA under the main example.ac.nz? which is controlled by AD.......
However I suspect that my management wont be happy if they see we have another sub-domain.....its a marketing / image thing its not uh "professional"...so I have to have good / clear reasons.
regards
________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Simo Sorce [simo at redhat.com]
Sent: Wednesday, 4 May 2011 1:18 a.m.
To: dpal at redhat.com
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Questions from Steven Jones
On Tue, 2011-05-03 at 08:46 -0400, Dmitri Pal wrote:
> I am posting Steven's questions as they have been sent to the wrong list
> and were on hold.
>
> ------------------------------------------------
>
> Hi
>
> Seem to be having issues posting....anyway....
>
> I notice that free-ipa really wants to work best as its own dns
> etc....problem is with AD running integrated DNS there is a clash....So
> Im wondering with say a domain of ipa.ac.nz whether it would be a good
> idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?
>
> Would this cause any issues with anything? say passwd syncing with AD
> under ipa.ac.nz (or actually its staff.ipa.ac.nz) ????
>
> >From reading the docs this looks like it might be a good idea, not sure...
>
> Are there any good high design and architecture docs I should read? to
> answer such Qs?
Having your own subdomain (or multiple subdomains) for IPA is certainly
a good idea. This is not much due to our DNS integration, you can
definitely handle DNS on your own, but has more to do with kerberos
libraries and the way realm -> domain mapping is done in some cases.
So if you organize your naming architecture to have IPA.EXAMPLE.COM ->
ipa.example.com then you get the best interoperability matrix between
all components.
That doesn't mean other combinations won't work, but you will have to
understand the details of how Keberos and DNS interrelate and how to
change client configuration if you choose different strategies.
Password syncing will have no problems related to DNS names, except,
perhaps for the need to change your SSL certificate (as X509 certs for
SSL embed the hostname of the server).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list