Well there are only two ways to do that.
The first is to go "old school" and deploy static config files to your *NX hosts instead of utilizing the DNS to automatically configure them. On the bright side there are only a few files so its fairly strait forward and easy to do.

The other way is to implement views in your DNS. I haven't done this in years but you can set up a DNS to return different results based on the source IP address of the host making the query. The problem is it can be a little unwieldy to maintain, and it can make it harder to diagnose problem if you don't properly take it into account when trying to debug issues. In other words this method is any thing but simple.

-- Sent from my HP Pre3

On May 9, 2013 5:05 AM, Johnny Westerlund <johnny.westerl...@atea.se> wrote:

The "problem" i'm trying to solve is more of a design choice i guess. I would like to introduce RH Identity Management (IPA) since we need to handle authentication for *NIX machines.
I guess i could integrate them towards Active Directory but i would rather enjoy all the benefits of running RH-IPA (HBAC/Sudo rules, and further down SELINUX integration) and able to use my current RH support contracts.

The current infrastructure looks the following.
Internal dns/KERBEROS domain handled by Microsoft active directory: company.internal@COMPANY.INTERNAL
A second domain consisting of company.tld (this is a correct top level domain) but this domain exists both internal and external.

So internall machines that CANT be reached from the outside world has either company.tld or company.internal hostnames. (all of the *nix machines has the domain company.tld allthough they are almost all internal machines)
Kerberos authentication is working now for machines on the inside in both dns domains. This is handled by Active directory.
I even have some *nix machines using AD kerberos realm for SSO of apache webservers, theese are all internal company.tld machines.

So the question is how i would design the DNS structure to allow IPA and AD coexistance.
I would like to avoid having to move all my current *nix machines out of company.tld (allthough this would be the most correct solution)
Maybe i could have dual hostnames for all my *nix machines but the question is how much administrative overhead this would give. And i would like to "Keep It Simple"

I understand that this might not be a question for this mailing list ;)
I hope it doesnt rub anyone the wrong way.

Freeipa-users mailing list

Reply via email to