On Wed, 08 May 2013, Paul Robert Marino wrote:
the client picks Realm based on the domain name of the host.
you can control the behavior on the client via the KRB5.conf but the
assumption is you have 1 realm per domain or host.

From man krb5.conf

      The [domain_realm] section provides a translation from a hostname to
the Kerberos realm name for the services provided by that host.

      The tag name can be a hostname, or a domain name, where domain names
are indicated by a prefix of a period (â.â) character.  The value
      of the relation is the Kerberos realm name for that particular host
or domain.  Host names and domain names should be in lower case.

      If no translation entry applies, the hostâs realm is considered to
be the hostnameâs domain portion  converted  to  upper  case.   For
      example, the following [domain_realm] section:

                     .mit.edu = ATHENA.MIT.EDU
                     mit.edu = ATHENA.MIT.EDU
                     dodo.mit.edu = SMS_TEST.MIT.EDU
                     .ucsc.edu = CATS.UCSC.EDU

      maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts
in the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in
      the UCSC.EDU domain into the CATS.UCSC.EDU realm.
ucbvax.berkeley.edu would be mapped by the default rules to the
      while sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.

Also the question of trusts is really an issue with cpaths but there is
also a compatibility issue betwean the AD Kerberos server and MIT's. its
doable with Heimdal kerberos Servers but FreeIPA is not compatible with
This is not correct. Starting with FreeIPA 3.0 we do support
cross-forest trusts with Active Directory.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to