[Freeipa-users] Two kerberos realms for same domainname?
Johnny Westerlund
johnny.westerlund at atea.se
Wed May 8 19:21:44 UTC 2013
I was guessing as much,
I'ts just that all the existing servers are allready in an existing domain.
And changing hostnames / fqdn's for all those hosts would hurt.
The DNS "discover" process of the REALM is that based on the fqdn of the principal or is it based on the kerberos realm name?
example principal: host/host1.foo.bar at EXAMPLE.COM
When trying to discover a KDC by DNS, does it look for the various SRV/TXT like _kerberos._tcp in the foo.bar domain or in the EXAMPLE.COM domain?
________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Wednesday, May 08, 2013 9:06 PM
To: Johnny Westerlund
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Two kerberos realms for same domainname?
On Wed, 2013-05-08 at 16:41 +0000, Johnny Westerlund wrote:
> Hi all
>
> I'm planning implementing a IPA server at a site where there is
> allready a working Active directory domain.
> I would still like the machines from AD and IPA live in the same DNS
> domain.
>
>
> Example.
> AD Domainname = foo.bar
> AD KERBEROS realm = FOO.BAR
> a Host principal would look like: host/host1.foo.bar at FOO.BAR
>
>
> Now i would like to introduce the IPA server under a different realm
> name but for the same DNS name.
>
>
> IPA domainname = foo.bar
> IPA KERBEROS realm = LINUX.FOO.BAR (or what ever)
> a Host principal would look like: host/host2.foo.bar at LINUX.FOO.BAR
>
>
> So basicly i would register the hostnames / PTR records in the
> microsoft DNS and use the IPA kerberos REALM for authentication.
>
>
> Am i making any sense? is this asking for a world of hurt?
It is possible, and it will hurt.
You will not be able to use trusts between AD and IPA.
You will not be able to use Kerberos between Windows client and Linux
Servers and vice-versa.
I personally discourage people from doing this if they can and instead
delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
to ipa for all the ipa hosts (server.ipa.foo.bar,
clientX.ipa.foo.bar ...)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list