The most straightforward and maintainable (from the point of view of sensible and obvious data) is to have two FreeIPA domains, each with Krb5 realm the same as its DNS domain, and then setup cross-realm Krb trusts.
HTH -DTK -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes? -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Trevor T Kates (Services - 6) Sent: Thursday, October 17, 2013 9:36 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] Using IPA on Two Completely Different Domains Greetings, I’m looking for some advice with respect to implementing an IPA solution on two different domains. Both domains have names that are completely distinct from each other and are out of my control to change. I have IdM 3.0 under CentOS 6.4 supporting one domain and I’d like to put together another IdM instance for the other domain. There is some overlap of users between the two domains. As such, I was wondering if the best solution would be to just treat the domains as completely distinct and manage the IdM instances separately or if there is a way to link them together such that for the users that overlap, modifications only need to be made once and in one place. Thanks, Trevor T. Kates CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and/or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3408 / Virus Database: 3222/6767 - Release Date: 10/20/13 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users