[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Alexander Bokovoy
abokovoy at redhat.com
Thu Dec 8 08:59:23 UTC 2016
On to, 08 joulu 2016, Pieter Nagel wrote:
>On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler <b.candler at pobox.com> wrote:
>
>> The Kerberos realm always has a corresponding DNS domain, so realm
>> IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net".
>>
>
>This is the crux of what I find unclear. The docs make it sound as if the
>DNS domain that corresponds to the Kerberos realm needs to be the exact
>same DNS domain that the FreeIPA internal DNS is actively managing. But I
>get the impression in this thread that the DNS domain that corresponds to
>the Kerberos realm just needs to be a DNS domain that belongs to the
>organisation using FreeIPA.
It is really simply: your DNS domain named as your Kerberos realm must
be under your control, one way or another, to allow automatic discovery
of resources to work.
This is how Kerberos automatic service discovery is designed to work.
If you are not using Kerberos automatic discovery; if all your KDC
resources are fixed in krb5.conf on all machines, all your SSSD
configurations on all IPA machines are fixed to point to exact servers
with no fallback to automatic service discovery; if you are not using
trust to Active Directory forests, you can ignore that requirement.
In majority of deployments, however, people are relying on automatic
service discovery for multiple reasons or using trust to AD feature.
These deployments must follow the rules defined by those who invented
automatic service discovery and technologies like Active Directory.
Overall, documentation might be too dense on the details, but it is a
balance between giving the necessary details and giving too many
details.
>Concrete scenario, I wonder if this will work:
>
>A greenfields deployment, no other kerberos, no Active Directory. Internal
>DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds
>internal hosts to it as they enroll. Public-facing servers are manually
>registered in lautus.net DNS which is hosted elsewhere. But FreeIPA is
>installed with realm LAUTUS.NET so it adds _kerberos entries for realm
>LAUTUS.NET to int.lautus.net, and I manually copy those entries to
>lautus.net, so everone agrees that they belong to the same realm.
>
>The reason I want the realm to be LAUTUS.NET is because it makes more sense
>to me that the internal desktops in the subdomain int.lautus.net to enroll
>into a realm related to the parent DNS domain, than it makes sense for the
>public-facing servers in the parent lautus.net domain enroll into a realm
>related to an internal DNS subdomain. Or am I making an issue of a cosmetic
>triviality, and it is not all all strange in the kerberos realm to enroll a
>server into a realm related to a DNS subdomain it is not part of?
>
>--
>Pieter Nagel
>Lautus Solutions (Pty) Ltd
>Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
>0832587540
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list