[Freeipa-users] Kerberos realm for different domain

Thu Dec 15 22:59:22 UTC 2016

> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com 
> <mailto:dkupka at redhat.com>> wrote:
>
>
>     yes you can do it. DNS domain and Kerberos realm are two different
>     things. It's common and AFAIK recommended to capitalize DNS domain
>     to get the realm but it's not required.
>     If you really want to have them different make sure:
>     a) anotherdomain.com <http://anotherdomain.com/> is under your
>     control,
>     b) you don't already have other Kerberos instance (FreeIPA, MIT
>     KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>     <http://anotherdomain.com/> realm deployed.
>
>     With FreeIPA you can run
>     # ipa-server-install --domain example.com
>     <http://example.com/> --realm ANOTHERDOMAIN.COM
>     <http://anotherdomain.com/>
>
>     But before you do, why do you want to have the realm different
>     from the domain?
>
>

Question: what "domain" does the --domain option to ipa-server-install 
actually refer to?

The man page just says " Your DNS domain name". But what does it 
actually alter?

1. the DNS domain which holds the kerberos realm location information? I 
don't think so; I think if you are searching for realm FOO.COM you'll 
always look in the DNS under "foo.com", that's a fixed relationship.

2. the DNS name of the IPA server itself? But if set up correctly, it 
already has an FQDN (as reported by "hostname -f"). And if you give the 
"--hostname" option, that's a FQDN not a bare hostname.

3. the DNS zone which IPA is authoritative for? But you can run IPA 
without integrated DNS.

4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" 
puts everything under tree "dc=foo,dc=com"?

5. something else?

Thanks,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161215/2718c1ea/attachment.htm>