[Freeipa-users] FreeIPA domains and sub-domains

Alexander Bokovoy abokovoy at redhat.com
Thu Oct 27 20:06:56 UTC 2016 

On to, 27 loka 2016, Brian Candler wrote:
>On 27/10/2016 10:07, Brian Candler wrote:
>>To the OP: in that case, I'd still recommend that you choose a 
>>distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated 
>>primary domain "ipa.yourcompany.com", and let FreeIPA manage that 
>>domain so that it sets up all the right SRV records for 
>>auto-discovery.  But you don't need to put any hosts inside that DNS 
>>domain at all.
>
>Aside: I have just been trying this out.
>
>What's slightly confusing is that the ipa server-install process 
>requires you to set a "domain name" as well as a realm, and it's not 
>clear to me which "domain" to put here. Is this the domain which 
>corresponds to the realm, or the domain which the clients normally 
>reside in, or something else?
>
>For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are 
>xxx.int.mycompany.com.  Should I set the FreeIPA "domain" to 
>ipa.mycompany.com or int.mycompany.com, or mycompany.com ?
It really depends on your taste, nothing else. There are some
technical details, though, that you should look at:

 - Kerberos implementations have to deal with both realm to DNS and DNS
   to realm conversions. When there is no static configuration of KDCs
   per realm, MIT Kerberos would take the name of the realm and treat it
   as a DNS domain name to perform SRV record query
   (_kerberos._udp.REALM and _kerberos._tcp.REALM).

 - for DNS hostname to realm conversion, if realm is unknown, MIT
   Kerberos might look up TXT record _kerberos.$domain.

These two details mean the following:

 - DNS domain corresponding to your REALM should be under your control.
   Note that it effectively means if you are using single word REALM,
   you are asking for trouble with dynamic KDC resolution (do you own
   one-word top level domain .REALM? With DNSSEC?)

 - all other domains where the same REALM is in use should have TXT
   record pointing to your REALM.

 - As long as you can control how clients resolve DNS hostnames to REALM
   and discover configuration of the REALM, you should be fine.

This is why we recommend to have IPA primary DNS domain the same as REALM.
You can have both IPA masters and IPA clients in other DNS domains too
but the DNS domain named as your REALM has to be under your control.

Final detail is related to the forest trust to Active Directory.
Microsoft implementation of Active Directory protocol stack assumes your
DNS domain is equal to your realm and that _kerberos.udp or
_kerberos._tcp and _ldap._tcp SRV records for this domain point to the
proper Active Directory DCs authoritative for the forest of REALM.

This is why we recommend to have IPA primary DNS domain the same as REALM.
You can have both IPA masters and IPA clients in other DNS domains too
but the DNS domain named as your REALM has to be under your control.
This will make your life going forward much simpler.

>After some experimentation, it seems that the LDAP baseDN is always 
>taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain 
>is used for:
>
>- nisDomain and associatedDomain
>- ipaDefaultEmailDomain
>- crucially, the SRV records are published under the DNS domain
>
>So it looks like really you should put "ipa.mycompany.com" as the DNS 
>domain, even if the IPA servers are in a different domain.
FreeIPA enforces realm to primary DNS domain through these elements,
right, out of practical needs outlined above.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list