On 08/08/2012 05:42 PM, Rob Ogilvie wrote:
On Tue, Aug 7, 2012 at 7:03 PM, KodaK <sako...@gmail.com> wrote:
It's hard to tell with the obfuscation, but is your DOMAIN the same as
the one handled by the domain controller vm-mapsdc2?

Indeed, it is....

You can only have one Kerberos realm named DOMAIN.

How do they know about each other?

There are DNS SRV records for Kerberos KDC and realm names.

Original Kerberos documentation mentions DNS is in:
http://web.mit.edu/kerberos/www/krb5-1.10/krb5-1.10.2/doc/krb5-admin.html#Using-DNS

Kerberos principles (not only DNS) are described in:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html


For example, if you have the windows domain/Kerb realm MYCOMPANY.COM,
you will not be able to have it coexist with an IPA server controlling
the realm MYCOMPANY.COM.

That's quite unfortunate.  How can I work around this?  Can I create
the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a
DNS domain to match, or will I need to interface with the DNS admins?
Is there a good document that describes the nature of these realms and
their relation to DNS?

Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it).

You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable.

Configuration with AD and IPA with same domain name is not supported, because it confuses Kerberos libraries.

Petr^2 Spacek


If it's an oldschool NT type domain you should be OK, but if it's
Active Directory (which uses Kerberos) you can't do it.

It's an Active Directory domain.

Rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to