I see your point with a messy dns infrastructure, however this would happen in 
the background.

You would still only have one kerberos realm per IPA instance.


Rgds,
Siggi




On Wed, October 19, 2011 21:30, Steven Jones wrote:
> Hi,
>
>
> I think AD sort of does this which they have now backed away from?
>
>
> From my very limited understanding having sub-domains/realms seems to be 
> counter-productive....in
> that trying to do cross-realm trusts/passwords/user info becomes a nightmare?
>
> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and 
> student.vuw.ac.nz in a
> winsync (password) agreement, I dont know even if that's possible?  Yet with 
> a flat domain to
> flat domain its easy?
>
> regards
>
> Steven Jones
>
>
> Technical Specialist - Linux RHCE
>
>
> Victoria University, Wellington, NZ
>
>
> 0064 4 463 6272
>
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Sigbjorn
> Lie [sigbj...@nixtra.com]
> Sent: Thursday, 20 October 2011 8:14 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] The concept of sites...
>
>
> Hi,
>
>
> Has there been given any thought to the concept of sites within IPA to
> improve cross-site implementations? This should be easy to implement as you 
> are already using DNS
> SRV records to locate the ldap/kerberos servers.
>
>
> E.g.
> Site: Boston
> Site: London
>
>
>
> Create a subdomain of the IPA dns domain named _sites, and a subdomain
> of _sites for each site.
>
> Boston._sites.ipa.domain.com would contain the srv entries for IPA
> servers in Boston: _ldap._tcp        in    srv    0 100 389 boston-ipa-server1
> _ldap._tcp        in    srv    0 100 389 boston-ipa-server2
> .....
>
>
> London._sites.ipa.domain.com would contain the srv entries for IPA
> serers in London: _ldap._tcp        in    srv    0 100 389 london-ipa-server1
> _ldap._tcp        in    srv    0 100 389 london-ipa-server2
> ....
>
>
> Now point the client's DNS "search" entry to point to the local site
> first, then search the full name space: Boston client's /etc/resolv.conf:
> search Boston._sites.ipa.domain.com ipa.domain.com
>
> London client's /etc/resolv.conf:
> search London._sites.ipa.domain.com ipa.domain.com
>
>
> The main ipa.domain.com could still contain srv records for all IPA
> servers, or selected IPA servers at the central hub.
>
> I know I can do this manually within the DNS managment in IPA today,
> however it would be a lot easier to maintain "Sites" within the IPA 
> webui/cli. *blink* ;)
>
> What's your thoughts on this?
>
>
>
>
> Regards,
> Siggi
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to