> Can you have a domain that belongs to a Kerberos realm with a completely
> different domain? For example, could belong to the
> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
> necessary SRV and TXT records to locate it and krb5.conf is configured
> properly?

This will indeed work.  Its however highly discouraged by FreeIPA.
For example, if you do go this way, you will never be able to
establish trust relationship with Active directory as Active directory
will not accept this setup.

Also, you will be on untested territory.  I don't think may people use
this setup, so the code may not be well exercised in such a setup.  On
the positive side, you could help FreeIPA project flash out any bug
that such a setup may expose.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to