On to, 27 loka 2016, Brian Candler wrote:
On 27/10/2016 10:07, Brian Candler wrote:
To the OP: in that case, I'd still recommend that you choose a
distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated
primary domain "ipa.yourcompany.com", and let FreeIPA manage that
domain so that it sets up all the right SRV records for
auto-discovery. But you don't need to put any hosts inside that DNS
domain at all.
Aside: I have just been trying this out.
What's slightly confusing is that the ipa server-install process
requires you to set a "domain name" as well as a realm, and it's not
clear to me which "domain" to put here. Is this the domain which
corresponds to the realm, or the domain which the clients normally
reside in, or something else?
For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are
xxx.int.mycompany.com. Should I set the FreeIPA "domain" to
ipa.mycompany.com or int.mycompany.com, or mycompany.com ?
It really depends on your taste, nothing else. There are some
technical details, though, that you should look at:
- Kerberos implementations have to deal with both realm to DNS and DNS
to realm conversions. When there is no static configuration of KDCs
per realm, MIT Kerberos would take the name of the realm and treat it
as a DNS domain name to perform SRV record query
(_kerberos._udp.REALM and _kerberos._tcp.REALM).
- for DNS hostname to realm conversion, if realm is unknown, MIT
Kerberos might look up TXT record _kerberos.$domain.
These two details mean the following:
- DNS domain corresponding to your REALM should be under your control.
Note that it effectively means if you are using single word REALM,
you are asking for trouble with dynamic KDC resolution (do you own
one-word top level domain .REALM? With DNSSEC?)
- all other domains where the same REALM is in use should have TXT
record pointing to your REALM.
- As long as you can control how clients resolve DNS hostnames to REALM
and discover configuration of the REALM, you should be fine.
This is why we recommend to have IPA primary DNS domain the same as REALM.
You can have both IPA masters and IPA clients in other DNS domains too
but the DNS domain named as your REALM has to be under your control.
Final detail is related to the forest trust to Active Directory.
Microsoft implementation of Active Directory protocol stack assumes your
DNS domain is equal to your realm and that _kerberos.udp or
_kerberos._tcp and _ldap._tcp SRV records for this domain point to the
proper Active Directory DCs authoritative for the forest of REALM.
This is why we recommend to have IPA primary DNS domain the same as REALM.
You can have both IPA masters and IPA clients in other DNS domains too
but the DNS domain named as your REALM has to be under your control.
This will make your life going forward much simpler.
After some experimentation, it seems that the LDAP baseDN is always
taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain
is used for:
- nisDomain and associatedDomain
- ipaDefaultEmailDomain
- crucially, the SRV records are published under the DNS domain
So it looks like really you should put "ipa.mycompany.com" as the DNS
domain, even if the IPA servers are in a different domain.
FreeIPA enforces realm to primary DNS domain through these elements,
right, out of practical needs outlined above.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
