On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <[email protected]> wrote:
> > yes you can do it. DNS domain and Kerberos realm are two different things. > It's common and AFAIK recommended to capitalize DNS domain to get the realm > but it's not required. > If you really want to have them different make sure: > a) anotherdomain.com is under your control, > b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS > AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm > deployed. > > With FreeIPA you can run > # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM > <http://anotherdomain.com/> > > But before you do, why do you want to have the realm different from the > domain? David- We have multiple domains that we want to manage under one Kerberos realm. I see that's it's possible for FreeIPA to manage multiple realms, but, for simplicity, I'd rather use just one and have all domains underneath: REALM.COM controls example1.com, example2.com, example3.com, etc. Since we control all domain's DNS, we would create text records for each of the example{x}.com domains pointing to REALM.COM Kerberos realm. We would also create SRV records for each of the example{x}.com domains directing Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd like to do it so we can keep everything in one easily managed lot. Steve P.S. I got several pornny spammy replies to this message. Is someone sneaking into this list somehow?
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
