On pe, 09 joulu 2016, Brian Candler wrote:
On 08/12/2016 08:50, Pieter Nagel wrote:
Concrete scenario, I wonder if this will work:
A greenfields deployment, no other kerberos, no Active Directory.
Internal DNS to be int.lautus.net <http://int.lautus.net> and
FreeIPA manages that DNS domain and adds internal hosts to it as
they enroll. Public-facing servers are manually registered in
lautus.net <http://lautus.net> DNS which is hosted elsewhere. But
FreeIPA is installed with realm LAUTUS.NET <http://LAUTUS.NET> so it
adds _kerberos entries for realm LAUTUS.NET <http://LAUTUS.NET> to
int.lautus.net <http://int.lautus.net>, and I manually copy those
entries to lautus.net <http://lautus.net>, so everone agrees that
they belong to the same realm.
The reason I want the realm to be LAUTUS.NET <http://LAUTUS.NET> is
because it makes more sense to me that the internal desktops in the
subdomain int.lautus.net <http://int.lautus.net> to enroll into a
realm related to the parent DNS domain
I see a red flag with "desktops". Do you mean Windows desktops? Then
you are talking Active Directory (or the Samba implementation of AD)
and there are very specific rules for how the hostnames and the realms
interact.
If you are talking Linux/BSD desktops, then it doesn't matter.
Personally I would do it the other way round than you propose: let
machines foo.lautus.net and bar.int.lautus.net use IPA.LAUTUS.NET as
their kerberos realm, because this gives you the *option* of adding a
distinct kerberos realm like AD.LAUTUS.NET later.
If you ever introduce Active Directory into your network then you
don't want it to be either a subdomain or a parent domain of your IPA
domain, unless you enjoy pain.
This is not a big deal, really. Red Hat customers routinely deploy IPA
as a subdomain or a parent domain to Active Directory deployments.
Changing your IPA realm later is also extremely painful.
Right now there is no a procedure to do so. Partially because realm name
is part of the salt used by Kerberos hashes.
, than it makes sense for the public-facing servers in the parent
lautus.net <http://lautus.net> domain enroll into a realm related to
an internal DNS subdomain.
It's not really a problem. In the DNS you create TXT records:
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"
_kerberos.int.lautus.net TXT "IPA.LAUTUS.NET"
and the auto-mapping of hosts to realms just works (in the *nix world
anyway)
Correct. Windows systems don't request _kerberos TXT record at all.
Personally I would have no problem publishing
_kerberos.lautus.net. TXT "IPA.LAUTUS.NET"
in the public DNS. It's up to you whether you put *.ipa.lautus.net and
*.int.lautus.net in the public DNS.
Or am I making an issue of a cosmetic triviality, and it is not all
all strange in the kerberos realm to enroll a server into a realm
related to a DNS subdomain it is not part of?
In my opinion, not at all strange. You have three things:
1. The DNS domain of the host
2. The Kerberos realm that the host is in
3. The DNS domain of the Kerberos realm
2+3 are bound together, but 1 does not need to relate to 2+3 (unless
you are Microsoft)
Even in Microsoft world there are means to add DNS domains to the same
Active Directory domain (they are called name routing suffixes). They
aren't flexible enough though and you are not advised to create many of
them (to the tune of thousands) because they are checked every time a
Kerberos ticket is issued by the AD DC.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
