On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler <b.cand...@pobox.com> wrote:
> The Kerberos realm always has a corresponding DNS domain, so realm > IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net". > This is the crux of what I find unclear. The docs make it sound as if the DNS domain that corresponds to the Kerberos realm needs to be the exact same DNS domain that the FreeIPA internal DNS is actively managing. But I get the impression in this thread that the DNS domain that corresponds to the Kerberos realm just needs to be a DNS domain that belongs to the organisation using FreeIPA. Concrete scenario, I wonder if this will work: A greenfields deployment, no other kerberos, no Active Directory. Internal DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds internal hosts to it as they enroll. Public-facing servers are manually registered in lautus.net DNS which is hosted elsewhere. But FreeIPA is installed with realm LAUTUS.NET so it adds _kerberos entries for realm LAUTUS.NET to int.lautus.net, and I manually copy those entries to lautus.net, so everone agrees that they belong to the same realm. The reason I want the realm to be LAUTUS.NET is because it makes more sense to me that the internal desktops in the subdomain int.lautus.net to enroll into a realm related to the parent DNS domain, than it makes sense for the public-facing servers in the parent lautus.net domain enroll into a realm related to an internal DNS subdomain. Or am I making an issue of a cosmetic triviality, and it is not all all strange in the kerberos realm to enroll a server into a realm related to a DNS subdomain it is not part of? -- Pieter Nagel Lautus Solutions (Pty) Ltd Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng 0832587540
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project