On Fri, 25 Oct 2013, david t. klein wrote:
The most straightforward and maintainable (from the point of view of
sensible and obvious data) is to have two FreeIPA domains, each with
Krb5 realm the same as its DNS domain, and then setup cross-realm Krb
Right now FreeIPA does not support trusts with another FreeIPA domain,
only with an Active Directory forest. This means that while you would be
able to set up cross-realm principals manually and authentication would
work, identity for those trusted principals would not be established
automatically upon logon to IPA clients in either domain.

One would need to make sure SSSD configuration on all machines where
users from both realms would need to log-in includes definitions
for both IPA domains and krb5.conf would include proper auth_to_local
rules for both realms. It is doable, just additional amount of work on
top of manual cross-realm trust account creation.

In FreeIPA we don't place restrictions on DNS domains in the same IPA
realm other than the fact that one of DNS domains for the realm should
be equivalent to the realm name (example.com for EXAMPLE.COM) or
otherwise cross-forest trust with Active Directory would not work --
Active Directory enforces "domain equal realm" rule and automatically
searches for service records in the DNS domain named as realm.

IPA machines (clients and servers) can be in whatever DNS domains they
want, just that service records for IPA masters should be resolvable in
the DNS domain named as realm (again, for AD trusts case, normal GNU/Linux
operations do not require that due to domain-realm mapping set up at
client enrollment already). In FreeIPA 3.2+ we handle these additional
DNS domains through 'ipa realmdomains' CLI commands (hooked up into DNS
management, so that each time new DNS domain is encountered,
realmdomains list is updated, even if we do not handle it directly) and
expose them to the trusted Active Directory domain so that name suffix
routing is correctly set up for these additional DNS domains belonging
to IPA namespace.

However, as we don't yet have formal IPA-IPA trusted relationship, much
of work for this case is not automated.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to