[Freeipa-users] Kerberos realm for different domain
Alexander Bokovoy
abokovoy at redhat.com
Sat Dec 10 18:20:33 UTC 2016
On la, 10 joulu 2016, William Muriithi wrote:
>Stephen
>>
>> Can you have a domain that belongs to a Kerberos realm with a completely
>> different domain? For example, could example.com belong to the
>> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
>> necessary SRV and TXT records to locate it and krb5.conf is configured
>> properly?
>
>This will indeed work. Its however highly discouraged by FreeIPA.
No, it is not.
>For example, if you do go this way, you will never be able to
>establish trust relationship with Active directory as Active directory
>will not accept this setup.
This is not true at all.
>Also, you will be on untested territory. I don't think may people use
>this setup, so the code may not be well exercised in such a setup. On
>the positive side, you could help FreeIPA project flash out any bug
>that such a setup may expose.
No, this is very well charted territory. Read a number of threads we had
just last week and before, last few months.
In short, the situation Stephen asks an advice on is a very normal case.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list