Everyone seems to say that you can't have a domain trust across two 
Kerberos realms (FreeIPA and Active Directory) if the hosts share the same DNS 

     Hadoop seems to do this just fine, though.  I'm in the process of helping 
someone setup a trust between the Kerberos realms HADOOP.COMPANY.COM  and  
COMPANY.COM and all of the servers use the DNS domain. (see

     This seems to be standard practice for setting up hadoop clusters.  Why 
wouldn't setting up a one-way trust so that FREEIPA.COMPANY.COM trusts 
COMPANY.COM (with all involved servers having the "" DNS domain)?  
As I understand it, the Kerberos realm FreeIPA uses can be specified during the 
initial setup and it doesn't have to match the domain.

--David Alston
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to