<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000066"> I have come across this already, BZ already created: <a class="moz-txt-link-freetext" href="https://fedorahosted.org/sssd/ticket/1032">https://fedorahosted.org/sssd/ticket/1032</a> On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: <blockquote cite="mid:34350.192.168.211.11.1319055948.squirrel@www.nixtra.com" type="cite"> <pre wrap="">The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com <-> ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: </pre> <blockquote type="cite"> <pre wrap="">Ah right, yes, one realm. However how would you password sync with AD? So say London.ad.ms.com and Newyork.ad.ms.com With NY as the "head" So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [<a class="moz-txt-link-abbreviated" href="mailto:sigbjorn@nixtra.com">sigbjorn@nixtra.com</a>] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: </pre> <blockquote type="cite"> <pre wrap="">Hi, I think AD sort of does this which they have now backed away from? >From my very limited understanding having sub-domains/realms seems to be counter-productive....in that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Sigbjorn Lie [<a class="moz-txt-link-abbreviated" href="mailto:sigbjorn@nixtra.com">sigbjorn@nixtra.com</a>] Sent: Thursday, 20 October 2011 8:14 a.m. To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcp in srv 0 100 389 boston-ipa-server1 _ldap._tcp in srv 0 100 389 boston-ipa-server2 ..... London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcp in srv 0 100 389 london-ipa-server1 _ldap._tcp in srv 0 100 389 london-ipa-server2 .... Now point the client's DNS "search" entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <pre wrap=""> </pre> </blockquote> <pre wrap=""> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre> </blockquote> <HR> The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 <HR> </body> </html>