On Fri, 2012-03-02 at 16:10 +0100, Ondrej Valousek wrote:
> > No, unless you can alias them in the KDC.
> > Our KDC can technically supports aliases now, but we haven't added these
> > kind of aliases yet to it. And it is a bit controversial on whether we
> > want to.
> > 
> > In A windows domain you simply cannot have client residing in a DNA
> > domain that is not the same as the domain controller. This is a pretty
> > hard limitation and we do not want to add it to FreeIPA.
> > 
> > Now why does it matter in this case ?
> > It matter because, by forcing a single DNS Domain windows can univocally
> > say a <-> a.b.c given the b.c part is forced on all clients joined to
> > that domain.
> > This does not hold true for FreeIPA. You could have foo.bar.example.com
> > and foo.rab.example.com ie 2 host with the same short name but in
> > different subdomains. if we alias both foo's and then we try to obtain a
> > ticket for host/foo@REALM then the KDC does not know which foo you refer
> > to. And if we alias only one then the second foo will simply fail to use
> > the shortname.
> > 
> > So the solution is to always use fully qualified names, which seem a
> > pretty decent compromise that shouldn't really cause issues in the vast
> > majority of cases.
> > 
> > Simo.
> > 
> I understand now, thanks. But still I see 2 limitations in this:
> 1. I dare to say most people do not care that they CAN join
> foo.rab.example.com machine to the bar.example.com domain - to me, it
> is only confusing. In fact, this is a complete new information to me.
> I still believe we should produce at least a small warning if we find
> that DNS domain <> IPA domain.

Well if it were a bet you'd lost it :-)
We already have multiple users doing exactly that and for good reasons
as far as I can tell.

> 2. You see problems like this - there is nowhere said that your
> `hostname` must be FQDN as the OS itself happily accept both.

> Either case, the ipa-client-install script should be able to detect
> such a case and offer some solution at least (I have a faint feeling
> there is even BZ already opened against this).

If ipa-client-install is not detecting this situation I think it is a


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to