[Freeipa-users] client in many IPA domains
David Kupka
dkupka at redhat.com
Mon Feb 6 11:16:58 UTC 2017
On Fri, Feb 03, 2017 at 02:04:55PM -0200, Raul Dias wrote:
> Hello,
>
> Can ipa-client (e.g., anotebook) be in more than one realm? e.g. depending
> on the network where it is connected.
>
> -rsd
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
Hello!
It depends what are you expectation about features that will be available on such client.
If you just want to be able to obtain Kerberos ticket for a user on the client it will work even without FreeIPA (assuming DNS records for Kerberos are in place).
Enrolling the client to two FreeIPA domains is theoretically doable but:
a) would require some experimentation and manual tinkering,
b) may bring security issues (e.g. sharing the same Kerberos key with both domains),
c) will likely result in weird behavior,
d) is definitelly not supported nor encouraged.
--
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170206/b697aedf/attachment.sig>
More information about the Freeipa-users
mailing list