I see your point with a messy dns infrastructure, however this would happen in the background.
You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: > Hi, > > > I think AD sort of does this which they have now backed away from? > > > From my very limited understanding having sub-domains/realms seems to be > counter-productive....in > that trying to do cross-realm trusts/passwords/user info becomes a nightmare? > > I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and > student.vuw.ac.nz in a > winsync (password) agreement, I dont know even if that's possible? Yet with > a flat domain to > flat domain its easy? > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Sigbjorn > Lie [[email protected]] > Sent: Thursday, 20 October 2011 8:14 a.m. > To: [email protected] > Subject: [Freeipa-users] The concept of sites... > > > Hi, > > > Has there been given any thought to the concept of sites within IPA to > improve cross-site implementations? This should be easy to implement as you > are already using DNS > SRV records to locate the ldap/kerberos servers. > > > E.g. > Site: Boston > Site: London > > > > Create a subdomain of the IPA dns domain named _sites, and a subdomain > of _sites for each site. > > Boston._sites.ipa.domain.com would contain the srv entries for IPA > servers in Boston: _ldap._tcp in srv 0 100 389 boston-ipa-server1 > _ldap._tcp in srv 0 100 389 boston-ipa-server2 > ..... > > > London._sites.ipa.domain.com would contain the srv entries for IPA > serers in London: _ldap._tcp in srv 0 100 389 london-ipa-server1 > _ldap._tcp in srv 0 100 389 london-ipa-server2 > .... > > > Now point the client's DNS "search" entry to point to the local site > first, then search the full name space: Boston client's /etc/resolv.conf: > search Boston._sites.ipa.domain.com ipa.domain.com > > London client's /etc/resolv.conf: > search London._sites.ipa.domain.com ipa.domain.com > > > The main ipa.domain.com could still contain srv records for all IPA > servers, or selected IPA servers at the central hub. > > I know I can do this manually within the DNS managment in IPA today, > however it would be a lot easier to maintain "Sites" within the IPA > webui/cli. *blink* ;) > > What's your thoughts on this? > > > > > Regards, > Siggi > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
