On to, 08 joulu 2016, Pieter Nagel wrote:
On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler <b.cand...@pobox.com> wrote:
The Kerberos realm always has a corresponding DNS domain, so realm
IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net".
This is the crux of what I find unclear. The docs make it sound as if the
DNS domain that corresponds to the Kerberos realm needs to be the exact
same DNS domain that the FreeIPA internal DNS is actively managing. But I
get the impression in this thread that the DNS domain that corresponds to
the Kerberos realm just needs to be a DNS domain that belongs to the
organisation using FreeIPA.
It is really simply: your DNS domain named as your Kerberos realm must
be under your control, one way or another, to allow automatic discovery
of resources to work.
This is how Kerberos automatic service discovery is designed to work.
If you are not using Kerberos automatic discovery; if all your KDC
resources are fixed in krb5.conf on all machines, all your SSSD
configurations on all IPA machines are fixed to point to exact servers
with no fallback to automatic service discovery; if you are not using
trust to Active Directory forests, you can ignore that requirement.
In majority of deployments, however, people are relying on automatic
service discovery for multiple reasons or using trust to AD feature.
These deployments must follow the rules defined by those who invented
automatic service discovery and technologies like Active Directory.
Overall, documentation might be too dense on the details, but it is a
balance between giving the necessary details and giving too many
details.
Concrete scenario, I wonder if this will work:
A greenfields deployment, no other kerberos, no Active Directory. Internal
DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds
internal hosts to it as they enroll. Public-facing servers are manually
registered in lautus.net DNS which is hosted elsewhere. But FreeIPA is
installed with realm LAUTUS.NET so it adds _kerberos entries for realm
LAUTUS.NET to int.lautus.net, and I manually copy those entries to
lautus.net, so everone agrees that they belong to the same realm.
The reason I want the realm to be LAUTUS.NET is because it makes more sense
to me that the internal desktops in the subdomain int.lautus.net to enroll
into a realm related to the parent DNS domain, than it makes sense for the
public-facing servers in the parent lautus.net domain enroll into a realm
related to an internal DNS subdomain. Or am I making an issue of a cosmetic
triviality, and it is not all all strange in the kerberos realm to enroll a
server into a realm related to a DNS subdomain it is not part of?
--
Pieter Nagel
Lautus Solutions (Pty) Ltd
Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
0832587540
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
