Ah right, yes, one realm. However how would you password sync with AD?
So say London.ad.ms.com and Newyork.ad.ms.com With NY as the "head" So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Sigbjorn Lie [[email protected]] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: [email protected] Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: > Hi, > > > I think AD sort of does this which they have now backed away from? > > > From my very limited understanding having sub-domains/realms seems to be > counter-productive....in > that trying to do cross-realm trusts/passwords/user info becomes a nightmare? > > I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and > student.vuw.ac.nz in a > winsync (password) agreement, I dont know even if that's possible? Yet with > a flat domain to > flat domain its easy? > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: [email protected] [[email protected]] on > behalf of Sigbjorn > Lie [[email protected]] > Sent: Thursday, 20 October 2011 8:14 a.m. > To: [email protected] > Subject: [Freeipa-users] The concept of sites... > > > Hi, > > > Has there been given any thought to the concept of sites within IPA to > improve cross-site implementations? This should be easy to implement as you > are already using DNS > SRV records to locate the ldap/kerberos servers. > > > E.g. > Site: Boston > Site: London > > > > Create a subdomain of the IPA dns domain named _sites, and a subdomain > of _sites for each site. > > Boston._sites.ipa.domain.com would contain the srv entries for IPA > servers in Boston: _ldap._tcp in srv 0 100 389 boston-ipa-server1 > _ldap._tcp in srv 0 100 389 boston-ipa-server2 > ..... > > > London._sites.ipa.domain.com would contain the srv entries for IPA > serers in London: _ldap._tcp in srv 0 100 389 london-ipa-server1 > _ldap._tcp in srv 0 100 389 london-ipa-server2 > .... > > > Now point the client's DNS "search" entry to point to the local site > first, then search the full name space: Boston client's /etc/resolv.conf: > search Boston._sites.ipa.domain.com ipa.domain.com > > London client's /etc/resolv.conf: > search London._sites.ipa.domain.com ipa.domain.com > > > The main ipa.domain.com could still contain srv records for all IPA > servers, or selected IPA servers at the central hub. > > I know I can do this manually within the DNS managment in IPA today, > however it would be a lot easier to maintain "Sites" within the IPA > webui/cli. *blink* ;) > > What's your thoughts on this? > > > > > Regards, > Siggi > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
