On 12/08/2015 03:08 PM, Petr Spacek wrote:
> Does
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs
> and
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
> answer your questions?

Not really. All these documents bring up strings like
"ipa.example.com". Sometimes thats a DNS domain, sometimes
its a kerberos realm (even though its in lower case letters).
The assumption that DNS and realm name match is based upon a
recommendation, i.e. you cannot rely upon that. (Not to
mention that "example.com" and "ad.example.com" *are* unique.)

My point is: Currently I have a hierarchy between the DNS top
level domain "example.com" and the windows DNS domain
"ws.example.com". I do not have a hierarchy between the IM
solutions for Unix and Windows (currently NIS and AD). Moving
from NIS/bind to FreeIPA I would prefer to keep this setup. If
this is not possible, then I can live with moving the IPA
servers to "ipa.example.com" (DNS), but I cannot change the
other DNS subnets. Changing existing host and domain names
is *highly* expensive.

I don't care very much about the realm name in Kerberos. IMU
thats just a string. IPA.EXAMPLE.COM would be fine, if
EXAMPLE.COM is not possible.

What would be your suggestion?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to