[Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD
Harald Dunkel
harald.dunkel at aixigo.de
Wed Dec 9 07:36:11 UTC 2015
On 12/08/2015 03:08 PM, Petr Spacek wrote:
>
> Does
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs
>
> and
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
>
> answer your questions?
>
Not really. All these documents bring up strings like
"ipa.example.com". Sometimes thats a DNS domain, sometimes
its a kerberos realm (even though its in lower case letters).
The assumption that DNS and realm name match is based upon a
recommendation, i.e. you cannot rely upon that. (Not to
mention that "example.com" and "ad.example.com" *are* unique.)
My point is: Currently I have a hierarchy between the DNS top
level domain "example.com" and the windows DNS domain
"ws.example.com". I do not have a hierarchy between the IM
solutions for Unix and Windows (currently NIS and AD). Moving
from NIS/bind to FreeIPA I would prefer to keep this setup. If
this is not possible, then I can live with moving the IPA
servers to "ipa.example.com" (DNS), but I cannot change the
other DNS subnets. Changing existing host and domain names
is *highly* expensive.
I don't care very much about the realm name in Kerberos. IMU
thats just a string. IPA.EXAMPLE.COM would be fine, if
EXAMPLE.COM is not possible.
What would be your suggestion?
Harri
More information about the Freeipa-users
mailing list