On Tue, 26 Mar 2013, Stijn De Weirdt wrote:
how can one add more domains to the same (existing) realm with ipa?
we would like to bring multiple networks (some private, some public)
under a single realm. as far as i understand krb5.conf, it means
creating the following domain_realm section
.domain1 = REALM
.domain2 = REALM
reading the documentation, i didn't find any clues how to do this
with ipa. default ipa server creation seems to assume a one-to-one
mapping between domain and realm.
It should be done mostly in the same way. As long as all clients and
servers have these mappings configured, they should be able to work.
Right now you have to maintain all these mappings manually, both at
client and server sides.
For 3.2 release or shortly afterwards we are trying to make it easier
configurable. 3.1.3 will have 'ipa realmdomains' command to manage
associated domains' list -- i.e. which DNS domains are associated with
our own realm. 3.2 will have this list exposed to trusted AD domains so
that they can see our topology and know where to send TGT requests (our
KDCs). In addition KDC driver will be able to use the same list to
augment the mapping in KDC. SSSD is also going to fetch the list like it
fetches now list of trusted domains and configures them for clients.
/ Alexander Bokovoy
Freeipa-users mailing list