[Freeipa-users] Do I need/want multiple kerberos realms?
Dmitri Pal
dpal at redhat.com
Wed Feb 20 02:17:41 UTC 2013
On 02/19/2013 02:13 PM, Guy Matz wrote:
> Hi! FreeIPA newbie here, with experience in DNS & LDAP . . .
>
> I am inheriting a FreeIPA installation which needs to expand to
> multiple datacenters, and was hoping for a little advice. The current
> freeipa setup uses a subdomain, ny.company.com - with a kerberos realm
> NY7.COMPANY.COM - and I'm wondering if I want to continue this by
> creating additional subdomains & realms for the other datacenters, or
> if I'm better off flattening the namespace to company.com for all
> datacenters.
>
> The reasons to use subdomains are generally:
> 1. to avoid naming collisions
> 2. to delegate administration to some other unit.
>
> Did I miss anything? I don't plan on doing either of those, so I'm
> looking to flatten the namespace. Anyone have any thoughts?
> Especially on the kerberos portion of this question? Thanks a lot!!
>
> Guy
IPA does not support multiple kerberos realms yet.
In IPA case DNS domain might not match kerberos domain so AFAIU (and
please correct me if I am wrong) you can use one Kerberos realm with
multiple DNS sobdomains for different offices. And with the latest
changes in IPA 3.0 you should be able to delegate administration of the
DNS zones to other admins.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list