[Freeipa-users] FreeIPA domains and sub-domains
Brian Candler
b.candler at pobox.com
Thu Oct 27 15:50:56 UTC 2016
On 27/10/2016 10:07, Brian Candler wrote:
> To the OP: in that case, I'd still recommend that you choose a
> distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated
> primary domain "ipa.yourcompany.com", and let FreeIPA manage that
> domain so that it sets up all the right SRV records for
> auto-discovery. But you don't need to put any hosts inside that DNS
> domain at all.
Aside: I have just been trying this out.
What's slightly confusing is that the ipa server-install process
requires you to set a "domain name" as well as a realm, and it's not
clear to me which "domain" to put here. Is this the domain which
corresponds to the realm, or the domain which the clients normally
reside in, or something else?
For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are
xxx.int.mycompany.com. Should I set the FreeIPA "domain" to
ipa.mycompany.com or int.mycompany.com, or mycompany.com ?
After some experimentation, it seems that the LDAP baseDN is always
taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain is
used for:
- nisDomain and associatedDomain
- ipaDefaultEmailDomain
- crucially, the SRV records are published under the DNS domain
So it looks like really you should put "ipa.mycompany.com" as the DNS
domain, even if the IPA servers are in a different domain.
Regards,
Brian.
More information about the Freeipa-users
mailing list