[Freeipa-users] Kerberos realm for different domain
Brian Candler
b.candler at pobox.com
Fri Dec 16 09:32:42 UTC 2016
On 16/12/2016 08:21, Alexander Bokovoy wrote:
>
> So you can have IPA masters with FQDNs in totally different DNS domains
> than dictated by their Kerberos realm and --domain options.
That I understand - not only can the IPA masters have FQDNs in different
DNS domains, but indeed the member machines of that realm as well.
What was unclear to me was whether "ipa-server-install --domain xxx"
affects the content of the database being built (and therefore
replicated later to the slaves), or is just something local to the host
itself.
In the manpage for "ipa-client-install" it's much clearer: in that case,
it says that --domain is the starting domain for LDAP server auto-discovery.
To clarify, there are several DNS auto-discovery mechanisms. Two of them
are described in the MIT docs at
https://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS
(1) Map hostname aaa.bbb.ccc to realm xxx.yyy.zzz
Look for TXT records for _kerberos.aaa.bbb.ccc, _kerberos.bbb.ccc,
_kerberos.ccc. The TXT record gives the realm that this host belongs to.
(2) Realm xxx.yyy.zzz to Kerberos servers for that realm
Given realm xxx.yyy.zzz, look for in the DNS for SRV records for
_kerberos._udp.xxx.yyy.zzz
_kerberos-master._udp.xxx.yyy.zzz
_kpasswd._udp.xxx.yyy.zzz
This is all very clear.
Now, the manpage for ipa-client-install describes another one, which is
where I get a bit fuzzy:
(3)
DNS Autodiscovery
Client installer by default tries to search for
_ldap._tcp.DOMAIN DNS
SRV records for all domains that are parent to its hostname.
For exam-
ple, if a client machine has a hostname
'client1.lab.example.com', the
installer will try to retrieve an IPA server
hostname from
_ldap._tcp.lab.example.com, _ldap._tcp.example.com and
_ldap._tcp.com
DNS SRV records, respectively. The discovered domain is then
used to
configure client components (e.g. SSSD and Kerberos 5
configuration) on
the machine.
What it doesn't actually say (but I believe must be true) is that what
it calls the "discovered domain" is in fact the *realm* to use. If so,
effectively this is algorithm (2) in reverse: instead of using it for
realm to SRV mapping, you hunt for a domain which contains the right SRV
records and use this to infer your realm.
Is that right?
(Is this a mechanism modelled on Active Directory? Otherwise, I would
have thought you could use MIT algorithm (1) to discover your realm)
>
> After all, these are *flexibility* options. They are not supposed to
> make sense in all combinations. Where they aren't making sense, you are
> allowed to shoot yourself in your feet if you know what you are doing.
>
Absolutely, and I don't want to get this wrong and have to start again :-)
OK, I have a final question on the planning of realms and DNS.
As we've already said, in an IPA-only installation, the machines which
are members of the realms can happily have hostnames which are unrelated
to the realm name: e.g.
IPA.EXAMPLE.COM
| | |
machines <name>.foo.com
machines <name>.bar.com
A user in IPA.EXAMPLE.COM can login to host <name>.foo.com, either
because their krb5.conf has a static domain->realm mapping, or there's a
DNS entry: _kerberos.foo.com TXT "IPA.EXAMPLE.COM"
However, suppose I plan to end up with a trust to an Active Directory /
Samba4 realm:
AD.EXAMPLE.COM <--trust--> IPA.EXAMPLE.COM
| | | | | |
users machines
I want to allow users in the AD.EXAMPLE.COM realm to login to machines
in the IPA.EXAMPLE.COM realm.
Will this still work when the machines are in different DNS domains? Or
at this point, am I forced to give all the machines hostnames of the
form <name>.ipa.example.com ?
If the latter is true, it would be wise for me to start naming my hosts
<name>.ipa.example.com in the first place.
Thanks,
Brian.
More information about the Freeipa-users
mailing list