[Freeipa-users] Kerberos realm for different domain

Alexander Bokovoy abokovoy at redhat.com
Fri Dec 16 08:21:32 UTC 2016 

On to, 15 joulu 2016, Brian Candler wrote:
>>On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com 
>><mailto:dkupka at redhat.com>> wrote:
>>
>>
>>    yes you can do it. DNS domain and Kerberos realm are two different
>>    things. It's common and AFAIK recommended to capitalize DNS domain
>>    to get the realm but it's not required.
>>    If you really want to have them different make sure:
>>    a) anotherdomain.com <http://anotherdomain.com/> is under your
>>    control,
>>    b) you don't already have other Kerberos instance (FreeIPA, MIT
>>    KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>>    <http://anotherdomain.com/> realm deployed.
>>
>>    With FreeIPA you can run
>>    # ipa-server-install --domain example.com
>>    <http://example.com/> --realm ANOTHERDOMAIN.COM
>>    <http://anotherdomain.com/>
>>
>>    But before you do, why do you want to have the realm different
>>    from the domain?
>>
>>
>
>Question: what "domain" does the --domain option to ipa-server-install 
>actually refer to?
>
>The man page just says " Your DNS domain name". But what does it 
>actually alter?
>
>1. the DNS domain which holds the kerberos realm location information? 
>I don't think so; I think if you are searching for realm FOO.COM 
>you'll always look in the DNS under "foo.com", that's a fixed 
>relationship.
>
>2. the DNS name of the IPA server itself? But if set up correctly, it 
>already has an FQDN (as reported by "hostname -f"). And if you give 
>the "--hostname" option, that's a FQDN not a bare hostname.
>
>3. the DNS zone which IPA is authoritative for? But you can run IPA 
>without integrated DNS.
>
>4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" 
>puts everything under tree "dc=foo,dc=com"?
>
>5. something else?
It is a combination of some of the above.

LDAP base DN is generated based on the realm name. DNS domain specified
in --domain option is considered a DNS domain we are authoritative for
in the case we install with integrated DNS server. Kerberos realm name
effectively forces use of the DNS domain equal to the realm name as your
primary DNS domain (forest root domain in terms of Active Directory),
but given that we could remap DNS and realm relationship with krb5.conf,
we are at a bit more flexibility than Active Directory design allows
here.

So you can have IPA masters with FQDNs in totally different DNS domains
than dictated by their Kerberos realm and --domain options. In such
situation you would need to make sure there are additional hints for the
IPA clients to properly find these IPA masters, but nothing dramatically
serious. You can have Kerberos realm and --domain options to point to
different DNS domains too, though we would not recommend that in a
longer term given you'd still need to own DNS domain named as your
Kerberos realm to have autodiscovery working.

After all, these are *flexibility* options. They are not supposed to
make sense in all combinations. Where they aren't making sense, you are
allowed to shoot yourself in your feet if you know what you are doing.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list