The "problem" i'm trying to solve is more of a design choice i guess. I would 
like to introduce RH Identity Management (IPA) since we need to handle 
authentication for *NIX machines.
I guess i could integrate them towards Active Directory but i would rather 
enjoy all the benefits of running RH-IPA (HBAC/Sudo rules, and further down 
SELINUX integration) and able to use my current RH support contracts.

The current infrastructure looks the following.
Internal dns/KERBEROS domain handled by Microsoft active directory: 
company.internal@COMPANY.INTERNAL
A second domain consisting of company.tld (this is a correct top level domain) 
but this domain exists both internal and external.

So internall machines that CANT be reached from the outside world has either 
company.tld or company.internal hostnames. (all of the *nix machines has the 
domain company.tld allthough they are almost all internal machines)
Kerberos authentication is working now for machines on the inside in both dns 
domains. This is handled by Active directory.
I even have some *nix machines using AD kerberos realm for SSO of apache 
webservers, theese are all internal company.tld machines.

So the question is how i would design the DNS structure to allow IPA and AD 
coexistance.
I would like to avoid having to move all my current *nix machines out of 
company.tld (allthough this would be the most correct solution)
Maybe i could have dual hostnames for all my *nix machines but the question is 
how much administrative overhead this would give. And i would like to "Keep It 
Simple"

I understand that this might not be a question for this mailing list ;)
I hope it doesnt rub anyone the wrong way.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to