[Freeipa-users] Kerberos realm for different domain
David Kupka
dkupka at redhat.com
Mon Dec 12 07:31:50 UTC 2016
On 09/12/16 22:56, Stephen Ingram wrote:
> Can you have a domain that belongs to a Kerberos realm with a completely
> different domain? For example, could example.com belong to the
> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
> necessary SRV and TXT records to locate it and krb5.conf is configured
> properly?
>
> Steve
>
>
>
Hello Steve,
yes you can do it. DNS domain and Kerberos realm are two different
things. It's common and AFAIK recommended to capitalize DNS domain to
get the realm but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com is under your control,
b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
AD, ...) with ANOTHERDOMAIN.COM realm deployed.
With FreeIPA you can run
# ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
But before you do, why do you want to have the realm different from the
domain?
--
David Kupka
More information about the Freeipa-users
mailing list