On ti, 26 tammi 2021, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users
wrote:
OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and
DNS domain names
Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp /
idm.foo.bar.urp for DNS
I am using 4 labels to parallel the environment for which this is intended.
The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP
AD-DC, but we eventually expect one from "Upstream" and hope to make
AD.FOO.BAR.URP a Kerberos sub-realm/domain of it
AD.FOO.BAR.URP and ad.foo.bar.urp were created.
IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a
cross-forest trust. These, of course, will be sub-domains to
AD.FOO.BAR.URP/ad.foo.bar.urp
The confuzzlepation is about client domain names.
Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just
use foo.bar.urp ?
Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they
just use foo.bar.urp ?
Few years ago Dmitri did create this blog:
https://www.redhat.com/en/blog/i-really-cant-rename-my-hosts
Please read it, it answers most of the questions. For technical details,
please also look at
https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate
the matter ?
If you have AD forest deployed at ad.foo.bar.urp, who cares about
foo.bar.urp? ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
