On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com> wrote:

>
> yes you can do it. DNS domain and Kerberos realm are two different things.
> It's common and AFAIK recommended to capitalize DNS domain to get the realm
> but it's not required.
> If you really want to have them different make sure:
> a) anotherdomain.com is under your control,
> b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
> AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm
> deployed.
>
> With FreeIPA you can run
> # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
> <http://anotherdomain.com/>
>
> But before you do, why do you want to have the realm different from the
> domain?


David-

We have multiple domains that we want to manage under one Kerberos realm. I
see that's it's possible for FreeIPA to manage multiple realms, but, for
simplicity, I'd rather use just one and have all domains underneath:

REALM.COM
controls example1.com, example2.com, example3.com, etc.

Since we control all domain's DNS, we would create text records for each of
the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
also create SRV records for each of the example{x}.com domains directing
Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
like to do it so we can keep everything in one easily managed lot.

Steve

P.S. I got several pornny spammy replies to this message. Is someone
sneaking into this list somehow?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to