On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek <pspa...@redhat.com> wrote:

> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
> SRV records (or let IPA to manage it).

Absolutely, this is the best way.

> You can configure each all servers and client statically with
> /etc/krb5.conf, but it is error-prone and not scalable.

You *could* use something like puppet to manage your krb5.conf files
(I have to with our AIX machines.)

Also, it's important to note that your REALM does NOT need to match
your dns domain name
It's a convenience, and it's very, very helpful to do so, but it is
possible to have a REALM called
"MIDDLEEARTH" if you wanted.  I'm not sure how IPA would deal with
that, but I know you
can do it in straight up Kerberos.


Freeipa-users mailing list

Reply via email to