On 05/08/2013 03:21 PM, Johnny Westerlund wrote:
> I was guessing as much,
> I'ts just that all the existing servers are allready in an existing domain.
> And changing hostnames / fqdn's for all those hosts would hurt.
> The DNS "discover" process of the REALM is that based on the fqdn of the
> principal or is it based on the kerberos realm name?
> example principal: host/host1.foo....@example.com
> When trying to discover a KDC by DNS, does it look for the various SRV/TXT
> like _kerberos._tcp in the foo.bar domain or in the EXAMPLE.COM domain?
It is based on the DNS name. It does to the DNS server and asks for SRV
records that provide a particular type of service (LDAP, Kerberos ,etc.)
It has nothing to do with the Kerberos realm and principal.
> From: Simo Sorce [s...@redhat.com]
> Sent: Wednesday, May 08, 2013 9:06 PM
> To: Johnny Westerlund
> Cc: firstname.lastname@example.org
> Subject: Re: [Freeipa-users] Two kerberos realms for same domainname?
> On Wed, 2013-05-08 at 16:41 +0000, Johnny Westerlund wrote:
>> Hi all
>> I'm planning implementing a IPA server at a site where there is
>> allready a working Active directory domain.
>> I would still like the machines from AD and IPA live in the same DNS
>> AD Domainname = foo.bar
>> AD KERBEROS realm = FOO.BAR
>> a Host principal would look like: host/host1.foo....@foo.bar
>> Now i would like to introduce the IPA server under a different realm
>> name but for the same DNS name.
>> IPA domainname = foo.bar
>> IPA KERBEROS realm = LINUX.FOO.BAR (or what ever)
>> a Host principal would look like: host/host2.foo....@linux.foo.bar
>> So basicly i would register the hostnames / PTR records in the
>> microsoft DNS and use the IPA kerberos REALM for authentication.
>> Am i making any sense? is this asking for a world of hurt?
> It is possible, and it will hurt.
> You will not be able to use trusts between AD and IPA.
> You will not be able to use Kerberos between Windows client and Linux
> Servers and vice-versa.
> I personally discourage people from doing this if they can and instead
> delegate (or just forward on both sides) a subdomain (like ipa.foo.bar)
> to ipa for all the ipa hosts (server.ipa.foo.bar,
> clientX.ipa.foo.bar ...)
> Simo Sorce * Red Hat, Inc * New York
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list