[Freeipa-users] Kerberos realm for different domain
Petr Spacek
pspacek at redhat.com
Mon Dec 19 14:50:21 UTC 2016
On 15.12.2016 23:59, Brian Candler wrote:
>> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dkupka at redhat.com
>> <mailto:dkupka at redhat.com>> wrote:
>>
>>
>> yes you can do it. DNS domain and Kerberos realm are two different
>> things. It's common and AFAIK recommended to capitalize DNS domain
>> to get the realm but it's not required.
>> If you really want to have them different make sure:
>> a) anotherdomain.com <http://anotherdomain.com/> is under your
>> control,
>> b) you don't already have other Kerberos instance (FreeIPA, MIT
>> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>> <http://anotherdomain.com/> realm deployed.
>>
>> With FreeIPA you can run
>> # ipa-server-install --domain example.com
>> <http://example.com/> --realm ANOTHERDOMAIN.COM
>> <http://anotherdomain.com/>
>>
>> But before you do, why do you want to have the realm different
>> from the domain?
>>
>>
>
> Question: what "domain" does the --domain option to ipa-server-install
> actually refer to?
>
> The man page just says " Your DNS domain name". But what does it actually alter?
>
> 1. the DNS domain which holds the kerberos realm location information? I don't
> think so; I think if you are searching for realm FOO.COM you'll always look in
> the DNS under "foo.com", that's a fixed relationship.
>
> 2. the DNS name of the IPA server itself? But if set up correctly, it already
> has an FQDN (as reported by "hostname -f"). And if you give the "--hostname"
> option, that's a FQDN not a bare hostname.
>
> 3. the DNS zone which IPA is authoritative for? But you can run IPA without
> integrated DNS.
>
> 4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts
> everything under tree "dc=foo,dc=com"?
>
> 5. something else?
I've tried to clarify things in man pages and on web as well. Please have a
look to changes and let us know if it is better or not, and preferably what
can be improved and in which way :-)
The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations
Man page changes and changes in description of installer options are here:
https://github.com/freeipa/freeipa/pull/352
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list