On to, 15 joulu 2016, Brian Candler wrote:
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com <mailto:dku...@redhat.com>> wrote:

   yes you can do it. DNS domain and Kerberos realm are two different
   things. It's common and AFAIK recommended to capitalize DNS domain
   to get the realm but it's not required.
   If you really want to have them different make sure:
   a) anotherdomain.com <http://anotherdomain.com/> is under your
   b) you don't already have other Kerberos instance (FreeIPA, MIT
   <http://anotherdomain.com/> realm deployed.

   With FreeIPA you can run
   # ipa-server-install --domain example.com
   <http://example.com/> --realm ANOTHERDOMAIN.COM

   But before you do, why do you want to have the realm different
   from the domain?

Question: what "domain" does the --domain option to ipa-server-install actually refer to?

The man page just says " Your DNS domain name". But what does it actually alter?

1. the DNS domain which holds the kerberos realm location information? I don't think so; I think if you are searching for realm FOO.COM you'll always look in the DNS under "foo.com", that's a fixed relationship.

2. the DNS name of the IPA server itself? But if set up correctly, it already has an FQDN (as reported by "hostname -f"). And if you give the "--hostname" option, that's a FQDN not a bare hostname.

3. the DNS zone which IPA is authoritative for? But you can run IPA without integrated DNS.

4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts everything under tree "dc=foo,dc=com"?

5. something else?
It is a combination of some of the above.

LDAP base DN is generated based on the realm name. DNS domain specified
in --domain option is considered a DNS domain we are authoritative for
in the case we install with integrated DNS server. Kerberos realm name
effectively forces use of the DNS domain equal to the realm name as your
primary DNS domain (forest root domain in terms of Active Directory),
but given that we could remap DNS and realm relationship with krb5.conf,
we are at a bit more flexibility than Active Directory design allows

So you can have IPA masters with FQDNs in totally different DNS domains
than dictated by their Kerberos realm and --domain options. In such
situation you would need to make sure there are additional hints for the
IPA clients to properly find these IPA masters, but nothing dramatically
serious. You can have Kerberos realm and --domain options to point to
different DNS domains too, though we would not recommend that in a
longer term given you'd still need to own DNS domain named as your
Kerberos realm to have autodiscovery working.

After all, these are *flexibility* options. They are not supposed to
make sense in all combinations. Where they aren't making sense, you are
allowed to shoot yourself in your feet if you know what you are doing.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to