[Freeipa-users] Two kerberos realms for same domainname?

Paul Robert Marino prmarino1 at gmail.com
Wed May 8 19:58:14 UTC 2013 

the client picks Realm based on the domain name of the host.
you can control the behavior on the client via the KRB5.conf but the
assumption is you have 1 realm per domain or host.

>From man krb5.conf


"
DOMAIN_REALM SECTION
       The [domain_realm] section provides a translation from a hostname to
the Kerberos realm name for the services provided by that host.

       The tag name can be a hostname, or a domain name, where domain names
are indicated by a prefix of a period (â.â) character.  The value
       of the relation is the Kerberos realm name for that particular host
or domain.  Host names and domain names should be in lower case.

       If no translation entry applies, the hostâs realm is considered to
be the hostnameâs domain portion  converted  to  upper  case.   For
       example, the following [domain_realm] section:

                 [domain_realm]
                      .mit.edu = ATHENA.MIT.EDU
                      mit.edu = ATHENA.MIT.EDU
                      dodo.mit.edu = SMS_TEST.MIT.EDU
                      .ucsc.edu = CATS.UCSC.EDU

       maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts
in the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in
       the UCSC.EDU domain into the CATS.UCSC.EDU realm.
ucbvax.berkeley.edu would be mapped by the default rules to the
BERKELEY.EDUrealm,
       while sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
"


Also the question of trusts is really an issue with cpaths but there is
also a compatibility issue betwean the AD Kerberos server and MIT's. its
doable with Heimdal kerberos Servers but FreeIPA is not compatible with
Heimdal


On Wed, May 8, 2013 at 3:38 PM, Dmitri Pal <dpal at redhat.com> wrote:

> On 05/08/2013 03:21 PM, Johnny Westerlund wrote:
> > I was guessing as much,
> > I'ts just that all the existing servers are allready in an existing
> domain.
> > And changing hostnames / fqdn's for all those hosts would hurt.
> >
> >
> > The DNS "discover" process of the REALM is that based on the fqdn of the
> principal or is it based on the kerberos realm name?
> >
> > example principal: host/host1.foo.bar at EXAMPLE.COM
> >
> > When trying to discover a KDC by DNS, does it look for the various
> SRV/TXT like _kerberos._tcp in the foo.bar domain or in the EXAMPLE.COMdomain?
>
>
> It is based on the DNS name. It does to the DNS server and asks for SRV
> records that provide a particular type of service (LDAP, Kerberos ,etc.)
> It has nothing to do with the Kerberos realm and principal.
>
> >
> >
> > ________________________________________
> > From: Simo Sorce [simo at redhat.com]
> > Sent: Wednesday, May 08, 2013 9:06 PM
> > To: Johnny Westerlund
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Two kerberos realms for same domainname?
> >
> > On Wed, 2013-05-08 at 16:41 +0000, Johnny Westerlund wrote:
> >> Hi all
> >>
> >> I'm planning implementing a IPA server at a site where there is
> >> allready a working Active directory domain.
> >> I would still like the machines from AD and IPA live in the same DNS
> >> domain.
> >>
> >>
> >> Example.
> >> AD Domainname = foo.bar
> >> AD KERBEROS realm = FOO.BAR
> >> a Host principal would look like: host/host1.foo.bar at FOO.BAR
> >>
> >>
> >> Now i would like to introduce the IPA server under a different realm
> >> name but for the same DNS name.
> >>
> >>
> >> IPA domainname = foo.bar
> >> IPA KERBEROS realm = LINUX.FOO.BAR (or what ever)
> >> a Host principal would look like: host/host2.foo.bar at LINUX.FOO.BAR
> >>
> >>
> >> So basicly i would register the hostnames / PTR records in the
> >> microsoft DNS and use the IPA kerberos REALM for authentication.
> >>
> >>
> >> Am i making any sense? is this asking for a world of hurt?
> > It is possible, and it will hurt.
> >
> > You will not be able to use trusts between AD and IPA.
> > You will not be able to use Kerberos between Windows client and Linux
> > Servers and vice-versa.
> >
> > I personally discourage people from doing this if they can and instead
> > delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
> > to ipa for all the ipa hosts (server.ipa.foo.bar,
> > clientX.ipa.foo.bar ...)
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130508/c66e22d6/attachment.htm>

More information about the Freeipa-users mailing list