[Freeipa-users] Kerberos realm for different domain
David Kupka
dkupka at redhat.com
Tue Dec 13 09:11:45 UTC 2016
On 13/12/16 07:52, Stephen Ingram wrote:
> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com> wrote:
>
>>
>> yes you can do it. DNS domain and Kerberos realm are two different things.
>> It's common and AFAIK recommended to capitalize DNS domain to get the realm
>> but it's not required.
>> If you really want to have them different make sure:
>> a) anotherdomain.com is under your control,
>> b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
>> AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm
>> deployed.
>>
>> With FreeIPA you can run
>> # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
>> <http://anotherdomain.com/>
>>
>> But before you do, why do you want to have the realm different from the
>> domain?
>
>
> David-
>
> We have multiple domains that we want to manage under one Kerberos realm. I
> see that's it's possible for FreeIPA to manage multiple realms, but, for
> simplicity, I'd rather use just one and have all domains underneath:
>
> REALM.COM
> controls example1.com, example2.com, example3.com, etc.
>
> Since we control all domain's DNS, we would create text records for each of
> the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
> also create SRV records for each of the example{x}.com domains directing
> Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
> like to do it so we can keep everything in one easily managed lot.
>
> Steve
>
> P.S. I got several pornny spammy replies to this message. Is someone
> sneaking into this list somehow?
>
Hello Steve,
in fact it's not possible to manage multiple Kerberos realms in one
FreeIPA deployment. And judging from your description it also isn't what
you want.
On the other hand, having one realm and multiple DNS domains is standard
situation and usually the name of the realm is derived from the primary
domain (e.g. the one that matches organization name). If all your
domains are equal just pick the one that you're most sure you'll keep
under your control.
Regarding the spamming problem, we're all receiving it and the main
problem is that the spam is not targeting freeipa-users@ list but the
individual addresses in conversations. There's not much we can do but
Simo is trying to find a solution.
--
David Kupka
More information about the Freeipa-users
mailing list