[Freeipa-users] mutiple domain, single realm
Stijn De Weirdt
stijn.deweirdt at ugent.be
Tue Mar 26 13:47:33 UTC 2013
thanks for the info. i'll setup a test with current branch and see if
that works for us.
stijn
On 03/26/2013 01:52 PM, Alexander Bokovoy wrote:
> On Tue, 26 Mar 2013, Stijn De Weirdt wrote:
>> hi all,
>>
>> how can one add more domains to the same (existing) realm with ipa? we
>> would like to bring multiple networks (some private, some public)
>> under a single realm. as far as i understand krb5.conf, it means
>> creating the following domain_realm section
>>
>> [domain_realm]
>> .domain1 = REALM
>> .domain2 = REALM
>>
>> reading the documentation, i didn't find any clues how to do this with
>> ipa. default ipa server creation seems to assume a one-to-one mapping
>> between domain and realm.
> It should be done mostly in the same way. As long as all clients and
> servers have these mappings configured, they should be able to work.
> Right now you have to maintain all these mappings manually, both at
> client and server sides.
>
> For 3.2 release or shortly afterwards we are trying to make it easier
> configurable. 3.1.3 will have 'ipa realmdomains' command to manage
> associated domains' list -- i.e. which DNS domains are associated with
> our own realm. 3.2 will have this list exposed to trusted AD domains so
> that they can see our topology and know where to send TGT requests (our
> KDCs). In addition KDC driver will be able to use the same list to
> augment the mapping in KDC. SSSD is also going to fetch the list like it
> fetches now list of trusted domains and configures them for clients.
>
More information about the Freeipa-users
mailing list