On la, 10 joulu 2016, William Muriithi wrote:
Stephen


Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?

This will indeed work.  Its however highly discouraged by FreeIPA.
No, it is not.

For example, if you do go this way, you will never be able to
establish trust relationship with Active directory as Active directory
will not accept this setup.
This is not true at all.

Also, you will be on untested territory.  I don't think may people use
this setup, so the code may not be well exercised in such a setup.  On
the positive side, you could help FreeIPA project flash out any bug
that such a setup may expose.
No, this is very well charted territory. Read a number of threads we had
just last week and before, last few months.

In short, the situation Stephen asks an advice on is a very normal case.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to