On to, 27 loka 2016, Brian Candler wrote:
On 26/10/2016 21:03, Ranbir wrote:
If I have two networks, say A and B, and I want both to use the same
FreeIPA server, should I have one Freeipa domain for network A and a
sub-domain for network B, (domain.local and b.domain.local), or
should I create two top level domains (a.local and b.local)? What's
the recommended way to do this?
Well, as a first point, I'd say never use a fake domain like ".local".
Use a subdomain of some real domain that you already have - e.g.
int.yourcompany.com. You don't need to expose it to the Internet if
you don't want to, and a fake domain can cause you problems down the
line.
Secondly: do you really need two domains? DNS domains are used as way
to delegate administrative responsibility. If the same person is
managing the DNS for both sites, then you can just as well use one
domain. Personally I like to embed the site in the hostname (e.g.
lon-srv-1.int.yourcomany.com), because there are many circumstance in
which only the shortened hostname "lon-srv-1" is seen, such as syslog
messages and bash prompts. Hence it's good for the hostname itself to
be unambiguous.
But if you prefer a different DNS domain for equipment in each site,
that's not a problem either. You can either create additional domains
in FreeIPA (if you want to use the FreeIPA GUI/CLI to manage DNS
records), or just have separate DNS domains managed elsewhere. If
FreeIPA is managing your DNS, you can get it to manage your reverse
DNS too, by creating domains like 10.in-addr.arpa and
168.192.in-addr.arpa.
Taking this to extreme: you don't even need to use the same DNS domain
for your IPA and your other equipment. It's fine to have:
ldap-1.ipa.yourdomain.com
host1.site1.yourdomain.com
host2.site2.yourdomain.com
even if all the hosts are joined into the same Kerberos realm
IPA.YOURDOMAIN.COM (which sounds like is what you're doing).
This is quite a good approach if you already have existing DNS for
site1.yourdomain.com and site2.yourdomain.com which you don't want to
change. Having FreeIPA manage its own domain makes it easier to
automatically locate the Kerberos servers for the realm
IPA.YOURDOMAIN.COM. But even that's not necessary if you are happy to
create the necessary SRV records in the DNS yourself.
The final issue is IPA replicas in multiple sites. Personally I've put
all my IPA replicas in the same DNS domain
(ldap-1.ipa.yourcompany.com; ldap-2.ipa.yourcompany.com), and have
never tried putting them in different DNS domains: e.g.
ipa-1.site1.yourdomain.com
ipa-2.site2.yourdomain.com
I'm not sure if you can do this, and I think it would be safer not to
unless someone else on this list says it's OK.
Yes, you can do that, there is no issue at all.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project