[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Petr Spacek
pspacek at redhat.com
Wed Aug 8 17:59:28 UTC 2012
On 08/08/2012 07:27 PM, Rob Ogilvie wrote:
> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek <pspacek at redhat.com> wrote:
>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
>> SRV records (or let IPA to manage it).
>
> Ugh, I hope this doesn't end up pushing us back to NIS.
>
> If I can get our infrastructure guys to buy off on making a
> unix.mycompany.com subdomain in DNS, would I need to move all the
> hosts to be under that subdomain in DNS? I have some services
Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV
records and leave this subdomain without hosts (maybe except IPA servers ...).
It is not necessary to rename all hosts.
Problem is simple - Kerberos libraries have to know where KDCs are located -
and DNS is standardized way how to accomplish it.
Let me quote another reply from this thread:
On 08/08/2012 06:14 PM, KodaK wrote:
> You*could* use something like puppet to manage your krb5.conf files
> (I have to with our AIX machines.)
>
> Also, it's important to note that your REALM does NOT need to match
> your dns domain name
> It's a convenience, and it's very, very helpful to do so, but it is
> possible to have a REALM called
> "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with
> that, but I know you
> can do it in straight up Kerberos.
> configured that are difficult to rename the DNS domain of. Could, for
> instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM
> realm, given a MYCOMPANY.COM realm also exists?
Yes, it could.
>
> I could then put some SRV records into the subdomain's zone to point
> the kerberos stuff to the IPA server, change the domain on the IPA
> server, change the realm on the IPA server, re-register clients, and
> everything would be happy?
I get lost in the renaming part. Can you describe your idea in bigger detail?
>
> Ugh... actually... now that I think about this, I don't think I want
> half my servers in a unix subdomain in DNS, which means DNS and realm
> wouldn't match...
>
> Thoughts? Aside from rebuilding the infrastructure I've built already? :-)
Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM.
IMHO it is simplest way.
This limitation comes from Kerberos: You are trying to use *single domain
name* for *two independent Kerberos realms* - it is principally not possible.
Petr^2 Spacek
More information about the Freeipa-users
mailing list