[Freeipa-users] Kerberos realm for different domain
Petr Spacek
pspacek at redhat.com
Mon Dec 12 07:15:25 UTC 2016
On 10.12.2016 19:20, Alexander Bokovoy wrote:
> On la, 10 joulu 2016, William Muriithi wrote:
>> Stephen
>>>
>>> Can you have a domain that belongs to a Kerberos realm with a completely
>>> different domain? For example, could example.com belong to the
>>> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
>>> necessary SRV and TXT records to locate it and krb5.conf is configured
>>> properly?
>>
>> This will indeed work. Its however highly discouraged by FreeIPA.
> No, it is not.
>
>> For example, if you do go this way, you will never be able to
>> establish trust relationship with Active directory as Active directory
>> will not accept this setup.
> This is not true at all.
>
>> Also, you will be on untested territory. I don't think may people use
>> this setup, so the code may not be well exercised in such a setup. On
>> the positive side, you could help FreeIPA project flash out any bug
>> that such a setup may expose.
> No, this is very well charted territory. Read a number of threads we had
> just last week and before, last few months.
>
> In short, the situation Stephen asks an advice on is a very normal case.
Let me clear up this confusion:
The important thing is to have Kerberos REALM = uppercase version of DNS
domain containing all the SRV records (let's call this DNS domain "primary"
DNS domain).
If this condition is fulfilled, AD trusts and other auto-detection procedures
will work. You can add arbitrary number of FreeIPA clients to "secondary" DNS
domains as long as they do not overlap with AD-managed domains and it will
just work.
Does it clear the confusion?
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list