[Freeipa-users] Two kerberos realms for same domainname?

[Johnny Westerlund]

The "problem" i'm trying to solve is more of a design choice i guess. I would like to introduce RH Identity Management (IPA) since we need to handle authentication for *NIX machines.
I guess i could integrate them towards Active Directory but i would rather enjoy all the benefits of running RH-IPA (HBAC/Sudo rules, and further down SELINUX integration) and able to use my current RH support contracts.

The current infrastructure looks the following.
Internal dns/KERBEROS domain handled by Microsoft active directory: company.internal at COMPANY.INTERNAL
A second domain consisting of company.tld (this is a correct top level domain) but this domain exists both internal and external.

So internall machines that CANT be reached from the outside world has either company.tld or company.internal hostnames. (all of the *nix machines has the domain company.tld allthough they are almost all internal machines)
Kerberos authentication is working now for machines on the inside in both dns domains. This is handled by Active directory.
I even have some *nix machines using AD kerberos realm for SSO of apache webservers, theese are all internal company.tld machines.

So the question is how i would design the DNS structure to allow IPA and AD coexistance.
I would like to avoid having to move all my current *nix machines out of company.tld (allthough this would be the most correct solution)
Maybe i could have dual hostnames for all my *nix machines but the question is how much administrative overhead this would give. And i would like to "Keep It Simple"

I understand that this might not be a question for this mailing list ;)
I hope it doesnt rub anyone the wrong way.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130509/e996439f/attachment.htm>