On ma, 17 kesä 2019, Christian Reiss via FreeIPA-users wrote:
Hey John,
Awesome response :)
But I am not setting any dns records by hand. I did it *prior* to
FreeIPA. We are using naked Kerberos and ldap as-is. So thats where the
DNS RR are coming from.
Does "Dont run IPA on a domain thats in use" mean "entire domain" or
"Subdomain is OK"?
kdcproxy.. nat.. does not really sound awesome to be honest.
Would a setup on auth.company.com (realm, domain, etc) have and
disadvantages? I could simply add dns srv records from company.com to
auth.company.com?
And it's okay I guess if the host keytabs look like
host/server.company....@auth.company.com
I am slowly getting there :)
See, for example,
https://www.redhat.com/archives/freeipa-users/2016-October/msg00350.html
You might also want to read
https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
