Ah right, yes, one realm.

However how would you password sync with AD?

So say    London.ad.ms.com  and Newyork.ad.ms.com   

With NY as the "head"  

So with london.ipa.unix.com and newyork.ipa.unix.com

Is there still only one winsync agreement?



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, 20 October 2011 9:11 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] The concept of sites...

I see your point with a messy dns infrastructure, however this would happen in 
the background.

You would still only have one kerberos realm per IPA instance.


Rgds,
Siggi




On Wed, October 19, 2011 21:30, Steven Jones wrote:
> Hi,
>
>
> I think AD sort of does this which they have now backed away from?
>
>
> From my very limited understanding having sub-domains/realms seems to be 
> counter-productive....in
> that trying to do cross-realm trusts/passwords/user info becomes a nightmare?
>
> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and 
> student.vuw.ac.nz in a
> winsync (password) agreement, I dont know even if that's possible?  Yet with 
> a flat domain to
> flat domain its easy?
>
> regards
>
> Steven Jones
>
>
> Technical Specialist - Linux RHCE
>
>
> Victoria University, Wellington, NZ
>
>
> 0064 4 463 6272
>
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Sigbjorn
> Lie [sigbj...@nixtra.com]
> Sent: Thursday, 20 October 2011 8:14 a.m.
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] The concept of sites...
>
>
> Hi,
>
>
> Has there been given any thought to the concept of sites within IPA to
> improve cross-site implementations? This should be easy to implement as you 
> are already using DNS
> SRV records to locate the ldap/kerberos servers.
>
>
> E.g.
> Site: Boston
> Site: London
>
>
>
> Create a subdomain of the IPA dns domain named _sites, and a subdomain
> of _sites for each site.
>
> Boston._sites.ipa.domain.com would contain the srv entries for IPA
> servers in Boston: _ldap._tcp        in    srv    0 100 389 boston-ipa-server1
> _ldap._tcp        in    srv    0 100 389 boston-ipa-server2
> .....
>
>
> London._sites.ipa.domain.com would contain the srv entries for IPA
> serers in London: _ldap._tcp        in    srv    0 100 389 london-ipa-server1
> _ldap._tcp        in    srv    0 100 389 london-ipa-server2
> ....
>
>
> Now point the client's DNS "search" entry to point to the local site
> first, then search the full name space: Boston client's /etc/resolv.conf:
> search Boston._sites.ipa.domain.com ipa.domain.com
>
> London client's /etc/resolv.conf:
> search London._sites.ipa.domain.com ipa.domain.com
>
>
> The main ipa.domain.com could still contain srv records for all IPA
> servers, or selected IPA servers at the central hub.
>
> I know I can do this manually within the DNS managment in IPA today,
> however it would be a lot easier to maintain "Sites" within the IPA 
> webui/cli. *blink* ;)
>
> What's your thoughts on this?
>
>
>
>
> Regards,
> Siggi
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to