The "problem" i'm trying to solve is more of a design choice i guess. I would
like to introduce RH Identity Management (IPA) since we need to handle
authentication for *NIX machines.
I guess i could integrate them towards Active Directory but i would rather
enjoy all the benefits of running RH-IPA (HBAC/Sudo rules, and further down
SELINUX integration) and able to use my current RH support contracts.
The current infrastructure looks the following.
Internal dns/KERBEROS domain handled by Microsoft active directory:
A second domain consisting of company.tld (this is a correct top level domain)
but this domain exists both internal and external.
So internall machines that CANT be reached from the outside world has either
company.tld or company.internal hostnames. (all of the *nix machines has the
domain company.tld allthough they are almost all internal machines)
Kerberos authentication is working now for machines on the inside in both dns
domains. This is handled by Active directory.
I even have some *nix machines using AD kerberos realm for SSO of apache
webservers, theese are all internal company.tld machines.
So the question is how i would design the DNS structure to allow IPA and AD
I would like to avoid having to move all my current *nix machines out of
company.tld (allthough this would be the most correct solution)
Maybe i could have dual hostnames for all my *nix machines but the question is
how much administrative overhead this would give. And i would like to "Keep It
I understand that this might not be a question for this mailing list ;)
I hope it doesnt rub anyone the wrong way.
Freeipa-users mailing list