Many thanks, Alexander The nature of the Beast I am dealing with is such that DNS is managed from "Upstream" and not by the AD-DC or the IdM server(s)
I was already using a variation of the SSH key authentication solution from Dmitri's blog post. As long as IdM manages the public keys, access control is maintained. ______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290 From: Alexander Bokovoy <[email protected]> Date: Tuesday, January 26, 2021 at 09:38 To: FreeIPA-Users <[email protected]> Cc: Daniel White <[email protected]> Subject: [EXTERNAL] Re: [Freeipa-users] Questions about DNS client names in a FreeIPA / Active Directory trust On ti, 26 tammi 2021, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain names Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp / idm.foo.bar.urp for DNS I am using 4 labels to parallel the environment for which this is intended. The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP AD-DC, but we eventually expect one from "Upstream" and hope to make AD.FOO.BAR.URP a Kerberos sub-realm/domain of it AD.FOO.BAR.URP and ad.foo.bar.urp were created. IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a cross-forest trust. These, of course, will be sub-domains to AD.FOO.BAR.URP/ad.foo.bar.urp The confuzzlepation is about client domain names. Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just use foo.bar.urp ? Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they just use foo.bar.urp ? Few years ago Dmitri did create this blog: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat.com%2Fen%2Fblog%2Fi-really-cant-rename-my-hosts&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7Cd7d65c38d9434a31b0fc08d8c2081b67%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637472687372922745%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zyVc1YTP%2FIOVVTNHPQ%2BEhLivl5p6G7My37LwJrK%2BKFM%3D&reserved=0 Please read it, it answers most of the questions. For technical details, please also look at https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeipa.org%2Fpage%2FV4%2FIPA_Client_in_Active_Directory_DNS_domain&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7Cd7d65c38d9434a31b0fc08d8c2081b67%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637472687372932702%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wVYHgzbVNlUMD1meigyAeCqOgt0JnmUpTIewnqewy%2F0%3D&reserved=0 And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate the matter ? If you have AD forest deployed at ad.foo.bar.urp, who cares about foo.bar.urp? ;) -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
