[Freeipa-users] Kerberos realm for different domain
Brian Candler
b.candler at pobox.com
Thu Dec 15 22:59:22 UTC 2016
> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com
> <mailto:dkupka at redhat.com>> wrote:
>
>
> yes you can do it. DNS domain and Kerberos realm are two different
> things. It's common and AFAIK recommended to capitalize DNS domain
> to get the realm but it's not required.
> If you really want to have them different make sure:
> a) anotherdomain.com <http://anotherdomain.com/> is under your
> control,
> b) you don't already have other Kerberos instance (FreeIPA, MIT
> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
> <http://anotherdomain.com/> realm deployed.
>
> With FreeIPA you can run
> # ipa-server-install --domain example.com
> <http://example.com/> --realm ANOTHERDOMAIN.COM
> <http://anotherdomain.com/>
>
> But before you do, why do you want to have the realm different
> from the domain?
>
>
Question: what "domain" does the --domain option to ipa-server-install
actually refer to?
The man page just says " Your DNS domain name". But what does it
actually alter?
1. the DNS domain which holds the kerberos realm location information? I
don't think so; I think if you are searching for realm FOO.COM you'll
always look in the DNS under "foo.com", that's a fixed relationship.
2. the DNS name of the IPA server itself? But if set up correctly, it
already has an FQDN (as reported by "hostname -f"). And if you give the
"--hostname" option, that's a FQDN not a bare hostname.
3. the DNS zone which IPA is authoritative for? But you can run IPA
without integrated DNS.
4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com"
puts everything under tree "dc=foo,dc=com"?
5. something else?
Thanks,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161215/2718c1ea/attachment.htm>
More information about the Freeipa-users
mailing list