On pe, 09 joulu 2016, Brian Candler wrote:
On 08/12/2016 08:50, Pieter Nagel wrote:


Concrete scenario, I wonder if this will work:

A greenfields deployment, no other kerberos, no Active Directory. Internal DNS to be int.lautus.net <http://int.lautus.net> and FreeIPA manages that DNS domain and adds internal hosts to it as they enroll. Public-facing servers are manually registered in lautus.net <http://lautus.net> DNS which is hosted elsewhere. But FreeIPA is installed with realm LAUTUS.NET <http://LAUTUS.NET> so it adds _kerberos entries for realm LAUTUS.NET <http://LAUTUS.NET> to int.lautus.net <http://int.lautus.net>, and I manually copy those entries to lautus.net <http://lautus.net>, so everone agrees that they belong to the same realm.

The reason I want the realm to be LAUTUS.NET <http://LAUTUS.NET> is because it makes more sense to me that the internal desktops in the subdomain int.lautus.net <http://int.lautus.net> to enroll into a realm related to the parent DNS domain
I see a red flag with "desktops". Do you mean Windows desktops? Then you are talking Active Directory (or the Samba implementation of AD) and there are very specific rules for how the hostnames and the realms interact.

If you are talking Linux/BSD desktops, then it doesn't matter. Personally I would do it the other way round than you propose: let machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as their kerberos realm, because this gives you the *option* of adding a distinct kerberos realm like AD.LAUTUS.NET later.

If you ever introduce Active Directory into your network then you don't want it to be either a subdomain or a parent domain of your IPA domain, unless you enjoy pain.
This is not a big deal, really. Red Hat customers routinely deploy IPA
as a subdomain or a parent domain to Active Directory deployments.


Changing your IPA realm later is also extremely painful.
Right now there is no a procedure to do so. Partially because realm name
is part of the salt used by Kerberos hashes.

, than it makes sense for the public-facing servers in the parent lautus.net <http://lautus.net> domain enroll into a realm related to an internal DNS subdomain.
It's not really a problem. In the DNS you create TXT records:

_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
_kerberos.int.lautus.net  TXT  "IPA.LAUTUS.NET"

and the auto-mapping of hosts to realms just works (in the *nix world anyway)
Correct. Windows systems don't request _kerberos TXT record at all.


Personally I would have no problem publishing
_kerberos.lautus.net.  TXT  "IPA.LAUTUS.NET"
in the public DNS. It's up to you whether you put *.ipa.lautus.net and *.int.lautus.net in the public DNS.

Or am I making an issue of a cosmetic triviality, and it is not all all strange in the kerberos realm to enroll a server into a realm related to a DNS subdomain it is not part of?

In my opinion, not at all strange. You have three things:

1. The DNS domain of the host
2. The Kerberos realm that the host is in
3. The DNS domain of the Kerberos realm

2+3 are bound together, but 1 does not need to relate to 2+3 (unless you are Microsoft)
Even in Microsoft world there are means to add DNS domains to the same
Active Directory domain (they are called name routing suffixes). They
aren't flexible enough though and you are not advised to create many of
them (to the tune of thousands) because they are checked every time a
Kerberos ticket is issued by the AD DC.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... freeIPA users list
      • ... Pieter Nagel
        • ... Jacob Evans
      • ... Brian Candler
        • ... Petr Spacek
        • ... Pieter Nagel
          • ... Alexander Bokovoy
            • ... Pieter Nagel
          • ... Brian Candler
            • ... Alexander Bokovoy

Reply via email to