I've been studying the docs, and googling the Internet pipes, but it seems
our environment is particular twisted.

We have hundreds of UNIX/Linux servers residing in the "x.org" DNS domain
that have been using Sun LDAP servers for naming services and
authentication.  DNS for the servers in this "x.org" domain is managed by
Infoblox appliances.  However, now these Sun LDAP servers are being
decommissioned.  Everything is being migrated to use AD instead.  The snag:
the AD realm/DNS is CAMPUS.AD.X.ORG.  DNS for campus.ad.x.org is delegated
to the AD DNS servers.

To further complicate things, probably because all email addresses are of
the form "u...@x.org", the following SRV records are defined:

# host -t srv _kerberos._udp.x.org
_kerberos._udp.x.org has SRV record 0 100 88 rootdc11.x.org.
_kerberos._udp.x.org has SRV record 0 100 88 rootdc8.x.org.
_kerberos._udp.x.org has SRV record 0 100 88 rootdc12.x.org.
_kerberos._udp.x.org has SRV record 0 100 88 rootdc10.x.org.
# host -t srv _kpasswd._udp.x.org
_kpasswd._udp.x.org has SRV record 0 100 464 rootdc12.x.org.
_kpasswd._udp.x.org has SRV record 0 100 464 rootdc10.x.org.
_kpasswd._udp.x.org has SRV record 0 100 464 rootdc8.x.org.
_kpasswd._udp.x.org has SRV record 0 100 464 rootdc11.x.org.
# host -t srv _ldap._tcp.x.org
_ldap._tcp.x.org has SRV record 0 100 389 rootdc11.x.org.
_ldap._tcp.x.org has SRV record 0 100 389 rootdc10.x.org.
_ldap._tcp.x.org has SRV record 0 100 389 rootdc12.x.org.
_ldap._tcp.x.org has SRV record 0 100 389 rootdc8.x.org.

Do I simply set up the FreeIPA master as master.ipa.x.org, and set the
realm name to be IPA.X.ORG?  Would all FreeIPA clients then be in the
IPA.X.ORG realm?  Could they still remain in the x.org DNS domain?  Based
on what I'm reading, I'm thinking maybe so, but I don't know if those SRV
records above will break that.

Thanks in advance for any pointers!

Amos
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to