On 02/19/2013 02:13 PM, Guy Matz wrote: > Hi! FreeIPA newbie here, with experience in DNS & LDAP . . . > > I am inheriting a FreeIPA installation which needs to expand to > multiple datacenters, and was hoping for a little advice. The current > freeipa setup uses a subdomain, ny.company.com - with a kerberos realm > NY7.COMPANY.COM - and I'm wondering if I want to continue this by > creating additional subdomains & realms for the other datacenters, or > if I'm better off flattening the namespace to company.com for all > datacenters. > > The reasons to use subdomains are generally: > 1. to avoid naming collisions > 2. to delegate administration to some other unit. > > Did I miss anything? I don't plan on doing either of those, so I'm > looking to flatten the namespace. Anyone have any thoughts? > Especially on the kerberos portion of this question? Thanks a lot!! > > Guy
IPA does not support multiple kerberos realms yet. In IPA case DNS domain might not match kerberos domain so AFAIU (and please correct me if I am wrong) you can use one Kerberos realm with multiple DNS sobdomains for different offices. And with the latest changes in IPA 3.0 you should be able to delegate administration of the DNS zones to other admins. > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users