[Freeipa-users] Two kerberos realms for same domainname?

Dmitri Pal dpal at redhat.com
Wed May 8 19:38:40 UTC 2013 

On 05/08/2013 03:21 PM, Johnny Westerlund wrote:
> I was guessing as much,
> I'ts just that all the existing servers are allready in an existing domain.
> And changing hostnames / fqdn's for all those hosts would hurt.
>
>
> The DNS "discover" process of the REALM is that based on the fqdn of the principal or is it based on the kerberos realm name?
>
> example principal: host/host1.foo.bar at EXAMPLE.COM
>
> When trying to discover a KDC by DNS, does it look for the various SRV/TXT like _kerberos._tcp in the foo.bar domain or in the EXAMPLE.COM domain?


It is based on the DNS name. It does to the DNS server and asks for SRV
records that provide a particular type of service (LDAP, Kerberos ,etc.)
It has nothing to do with the Kerberos realm and principal.

>
>
> ________________________________________
> From: Simo Sorce [simo at redhat.com]
> Sent: Wednesday, May 08, 2013 9:06 PM
> To: Johnny Westerlund
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Two kerberos realms for same domainname?
>
> On Wed, 2013-05-08 at 16:41 +0000, Johnny Westerlund wrote:
>> Hi all
>>
>> I'm planning implementing a IPA server at a site where there is
>> allready a working Active directory domain.
>> I would still like the machines from AD and IPA live in the same DNS
>> domain.
>>
>>
>> Example.
>> AD Domainname = foo.bar
>> AD KERBEROS realm = FOO.BAR
>> a Host principal would look like: host/host1.foo.bar at FOO.BAR
>>
>>
>> Now i would like to introduce the IPA server under a different realm
>> name but for the same DNS name.
>>
>>
>> IPA domainname = foo.bar
>> IPA KERBEROS realm = LINUX.FOO.BAR (or what ever)
>> a Host principal would look like: host/host2.foo.bar at LINUX.FOO.BAR
>>
>>
>> So basicly i would register the hostnames / PTR records in the
>> microsoft DNS and use the IPA kerberos REALM for authentication.
>>
>>
>> Am i making any sense? is this asking for a world of hurt?
> It is possible, and it will hurt.
>
> You will not be able to use trusts between AD and IPA.
> You will not be able to use Kerberos between Windows client and Linux
> Servers and vice-versa.
>
> I personally discourage people from doing this if they can and instead
> delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
> to ipa for all the ipa hosts (server.ipa.foo.bar,
> clientX.ipa.foo.bar ...)
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list