The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com.
Sync with AD would still be done between ipa.domain.com <-> ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: > Ah right, yes, one realm. > > > However how would you password sync with AD? > > > So say London.ad.ms.com and Newyork.ad.ms.com > > > With NY as the "head" > > > So with london.ipa.unix.com and newyork.ipa.unix.com > > > Is there still only one winsync agreement? > > > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > ________________________________________ > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, 20 October 2011 9:11 a.m. > To: Steven Jones > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] The concept of sites... > > > I see your point with a messy dns infrastructure, however this would happen > in the background. > > > You would still only have one kerberos realm per IPA instance. > > > > Rgds, > Siggi > > > > > > On Wed, October 19, 2011 21:30, Steven Jones wrote: > >> Hi, >> >> >> >> I think AD sort of does this which they have now backed away from? >> >> >> >> From my very limited understanding having sub-domains/realms seems to be >> counter-productive....in that trying to do cross-realm trusts/passwords/user >> info becomes a >> nightmare? >> >> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and >> student.vuw.ac.nz in >> a winsync (password) agreement, I dont know even if that's possible? Yet >> with a flat domain to >> flat domain its easy? >> >> regards >> >> Steven Jones >> >> >> >> Technical Specialist - Linux RHCE >> >> >> >> Victoria University, Wellington, NZ >> >> >> >> 0064 4 463 6272 >> >> >> >> ________________________________________ >> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on >> behalf of Sigbjorn >> Lie [sigbj...@nixtra.com] >> Sent: Thursday, 20 October 2011 8:14 a.m. >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] The concept of sites... >> >> >> >> Hi, >> >> >> >> Has there been given any thought to the concept of sites within IPA to >> improve cross-site implementations? This should be easy to implement as you >> are already using >> DNS >> SRV records to locate the ldap/kerberos servers. >> >> >> >> E.g. >> Site: Boston >> Site: London >> >> >> >> >> Create a subdomain of the IPA dns domain named _sites, and a subdomain >> of _sites for each site. >> >> Boston._sites.ipa.domain.com would contain the srv entries for IPA >> servers in Boston: _ldap._tcp in srv 0 100 389 >> boston-ipa-server1 _ldap._tcp >> in srv 0 100 389 boston-ipa-server2 ..... >> >> >> >> London._sites.ipa.domain.com would contain the srv entries for IPA >> serers in London: _ldap._tcp in srv 0 100 389 >> london-ipa-server1 _ldap._tcp >> in srv 0 100 389 london-ipa-server2 .... >> >> >> >> Now point the client's DNS "search" entry to point to the local site >> first, then search the full name space: Boston client's /etc/resolv.conf: >> search >> Boston._sites.ipa.domain.com ipa.domain.com >> >> >> London client's /etc/resolv.conf: >> search London._sites.ipa.domain.com ipa.domain.com >> >> >> The main ipa.domain.com could still contain srv records for all IPA >> servers, or selected IPA servers at the central hub. >> >> I know I can do this manually within the DNS managment in IPA today, >> however it would be a lot easier to maintain "Sites" within the IPA >> webui/cli. *blink* ;) >> >> What's your thoughts on this? >> >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users