On Tue, 2011-05-03 at 08:46 -0400, Dmitri Pal wrote:
> I am posting Steven's questions as they have been sent to the wrong list
> and were on hold.
> Seem to be having issues posting....anyway....
> I notice that free-ipa really wants to work best as its own dns
> etc....problem is with AD running integrated DNS there is a clash....So
> Im wondering with say a domain of ipa.ac.nz whether it would be a good
> idea or sensible and worthwhile to run ipa as a dns stub say unix.ipa.ac.nz?
> Would this cause any issues with anything? say passwd syncing with AD
> under ipa.ac.nz (or actually its staff.ipa.ac.nz) ????
> >From reading the docs this looks like it might be a good idea, not sure...
> Are there any good high design and architecture docs I should read? to
> answer such Qs?
Having your own subdomain (or multiple subdomains) for IPA is certainly
a good idea. This is not much due to our DNS integration, you can
definitely handle DNS on your own, but has more to do with kerberos
libraries and the way realm -> domain mapping is done in some cases.
So if you organize your naming architecture to have IPA.EXAMPLE.COM ->
ipa.example.com then you get the best interoperability matrix between
That doesn't mean other combinations won't work, but you will have to
understand the details of how Keberos and DNS interrelate and how to
change client configuration if you choose different strategies.
Password syncing will have no problems related to DNS names, except,
perhaps for the need to change your SSL certificate (as X509 certs for
SSL embed the hostname of the server).
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list