On Fri, 2012-03-02 at 16:10 +0100, Ondrej Valousek wrote: > > > No, unless you can alias them in the KDC. > > Our KDC can technically supports aliases now, but we haven't added these > > kind of aliases yet to it. And it is a bit controversial on whether we > > want to. > > > > In A windows domain you simply cannot have client residing in a DNA > > domain that is not the same as the domain controller. This is a pretty > > hard limitation and we do not want to add it to FreeIPA. > > > > Now why does it matter in this case ? > > It matter because, by forcing a single DNS Domain windows can univocally > > say a <-> a.b.c given the b.c part is forced on all clients joined to > > that domain. > > This does not hold true for FreeIPA. You could have foo.bar.example.com > > and foo.rab.example.com ie 2 host with the same short name but in > > different subdomains. if we alias both foo's and then we try to obtain a > > ticket for host/foo@REALM then the KDC does not know which foo you refer > > to. And if we alias only one then the second foo will simply fail to use > > the shortname. > > > > So the solution is to always use fully qualified names, which seem a > > pretty decent compromise that shouldn't really cause issues in the vast > > majority of cases. > > > > Simo. > > > I understand now, thanks. But still I see 2 limitations in this: > 1. I dare to say most people do not care that they CAN join > foo.rab.example.com machine to the bar.example.com domain - to me, it > is only confusing. In fact, this is a complete new information to me. > I still believe we should produce at least a small warning if we find > that DNS domain <> IPA domain.
Well if it were a bet you'd lost it :-) We already have multiple users doing exactly that and for good reasons as far as I can tell. > 2. You see problems like this - there is nowhere said that your > `hostname` must be FQDN as the OS itself happily accept both. > Either case, the ipa-client-install script should be able to detect > such a case and offer some solution at least (I have a faint feeling > there is even BZ already opened against this). If ipa-client-install is not detecting this situation I think it is a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users