On 12/08/2015 03:08 PM, Petr Spacek wrote: > > Does > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs > > and > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings > > answer your questions? >
Not really. All these documents bring up strings like "ipa.example.com". Sometimes thats a DNS domain, sometimes its a kerberos realm (even though its in lower case letters). The assumption that DNS and realm name match is based upon a recommendation, i.e. you cannot rely upon that. (Not to mention that "example.com" and "ad.example.com" *are* unique.) My point is: Currently I have a hierarchy between the DNS top level domain "example.com" and the windows DNS domain "ws.example.com". I do not have a hierarchy between the IM solutions for Unix and Windows (currently NIS and AD). Moving from NIS/bind to FreeIPA I would prefer to keep this setup. If this is not possible, then I can live with moving the IPA servers to "ipa.example.com" (DNS), but I cannot change the other DNS subnets. Changing existing host and domain names is *highly* expensive. I don't care very much about the realm name in Kerberos. IMU thats just a string. IPA.EXAMPLE.COM would be fine, if EXAMPLE.COM is not possible. What would be your suggestion? Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
