[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Brian Candler
b.candler at pobox.com
Fri Dec 9 11:14:09 UTC 2016
On 08/12/2016 08:50, Pieter Nagel wrote:
>
> Concrete scenario, I wonder if this will work:
>
> A greenfields deployment, no other kerberos, no Active Directory.
> Internal DNS to be int.lautus.net <http://int.lautus.net> and FreeIPA
> manages that DNS domain and adds internal hosts to it as they enroll.
> Public-facing servers are manually registered in lautus.net
> <http://lautus.net> DNS which is hosted elsewhere. But FreeIPA is
> installed with realm LAUTUS.NET <http://LAUTUS.NET> so it adds
> _kerberos entries for realm LAUTUS.NET <http://LAUTUS.NET> to
> int.lautus.net <http://int.lautus.net>, and I manually copy those
> entries to lautus.net <http://lautus.net>, so everone agrees that they
> belong to the same realm.
>
> The reason I want the realm to be LAUTUS.NET <http://LAUTUS.NET> is
> because it makes more sense to me that the internal desktops in the
> subdomain int.lautus.net <http://int.lautus.net> to enroll into a
> realm related to the parent DNS domain
I see a red flag with "desktops". Do you mean Windows desktops? Then you
are talking Active Directory (or the Samba implementation of AD) and
there are very specific rules for how the hostnames and the realms interact.
If you are talking Linux/BSD desktops, then it doesn't matter.
Personally I would do it the other way round than you propose: let
machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as
their kerberos realm, because this gives you the *option* of adding a
distinct kerberos realm like AD.LAUTUS.NET later.
If you ever introduce Active Directory into your network then you don't
want it to be either a subdomain or a parent domain of your IPA domain,
unless you enjoy pain.
Changing your IPA realm later is also extremely painful.
> , than it makes sense for the public-facing servers in the parent
> lautus.net <http://lautus.net> domain enroll into a realm related to
> an internal DNS subdomain.
It's not really a problem. In the DNS you create TXT records:
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"
_kerberos.int.lautus.net TXT "IPA.LAUTUS.NET"
and the auto-mapping of hosts to realms just works (in the *nix world
anyway)
Personally I would have no problem publishing
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"
in the public DNS. It's up to you whether you put *.ipa.lautus.net and
*.int.lautus.net in the public DNS.
> Or am I making an issue of a cosmetic triviality, and it is not all
> all strange in the kerberos realm to enroll a server into a realm
> related to a DNS subdomain it is not part of?
>
In my opinion, not at all strange. You have three things:
1. The DNS domain of the host
2. The Kerberos realm that the host is in
3. The DNS domain of the Kerberos realm
2+3 are bound together, but 1 does not need to relate to 2+3 (unless you
are Microsoft)
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161209/570697ae/attachment.htm>
More information about the Freeipa-users
mailing list