[Freeipa-users] Kerberos realm for different domain
Stephen Ingram
sbingram at gmail.com
Tue Dec 13 06:52:42 UTC 2016
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com> wrote:
>
> yes you can do it. DNS domain and Kerberos realm are two different things.
> It's common and AFAIK recommended to capitalize DNS domain to get the realm
> but it's not required.
> If you really want to have them different make sure:
> a) anotherdomain.com is under your control,
> b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
> AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm
> deployed.
>
> With FreeIPA you can run
> # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
> <http://anotherdomain.com/>
>
> But before you do, why do you want to have the realm different from the
> domain?
David-
We have multiple domains that we want to manage under one Kerberos realm. I
see that's it's possible for FreeIPA to manage multiple realms, but, for
simplicity, I'd rather use just one and have all domains underneath:
REALM.COM
controls example1.com, example2.com, example3.com, etc.
Since we control all domain's DNS, we would create text records for each of
the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
also create SRV records for each of the example{x}.com domains directing
Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
like to do it so we can keep everything in one easily managed lot.
Steve
P.S. I got several pornny spammy replies to this message. Is someone
sneaking into this list somehow?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161212/253fa9c7/attachment.htm>
More information about the Freeipa-users
mailing list