On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler <b.cand...@pobox.com> wrote:
> The Kerberos realm always has a corresponding DNS domain, so realm
> IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net".
This is the crux of what I find unclear. The docs make it sound as if the
DNS domain that corresponds to the Kerberos realm needs to be the exact
same DNS domain that the FreeIPA internal DNS is actively managing. But I
get the impression in this thread that the DNS domain that corresponds to
the Kerberos realm just needs to be a DNS domain that belongs to the
organisation using FreeIPA.
Concrete scenario, I wonder if this will work:
A greenfields deployment, no other kerberos, no Active Directory. Internal
DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds
internal hosts to it as they enroll. Public-facing servers are manually
registered in lautus.net DNS which is hosted elsewhere. But FreeIPA is
installed with realm LAUTUS.NET so it adds _kerberos entries for realm
LAUTUS.NET to int.lautus.net, and I manually copy those entries to
lautus.net, so everone agrees that they belong to the same realm.
The reason I want the realm to be LAUTUS.NET is because it makes more sense
to me that the internal desktops in the subdomain int.lautus.net to enroll
into a realm related to the parent DNS domain, than it makes sense for the
public-facing servers in the parent lautus.net domain enroll into a realm
related to an internal DNS subdomain. Or am I making an issue of a cosmetic
triviality, and it is not all all strange in the kerberos realm to enroll a
server into a realm related to a DNS subdomain it is not part of?
Lautus Solutions (Pty) Ltd
Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project