On 15.12.2016 23:59, Brian Candler wrote:
>> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com
>> <mailto:dku...@redhat.com>> wrote:
>> yes you can do it. DNS domain and Kerberos realm are two different
>> things. It's common and AFAIK recommended to capitalize DNS domain
>> to get the realm but it's not required.
>> If you really want to have them different make sure:
>> a) anotherdomain.com <http://anotherdomain.com/> is under your
>> b) you don't already have other Kerberos instance (FreeIPA, MIT
>> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>> <http://anotherdomain.com/> realm deployed.
>> With FreeIPA you can run
>> # ipa-server-install --domain example.com
>> <http://example.com/> --realm ANOTHERDOMAIN.COM
>> But before you do, why do you want to have the realm different
>> from the domain?
> Question: what "domain" does the --domain option to ipa-server-install
> actually refer to?
> The man page just says " Your DNS domain name". But what does it actually
> 1. the DNS domain which holds the kerberos realm location information? I don't
> think so; I think if you are searching for realm FOO.COM you'll always look in
> the DNS under "foo.com", that's a fixed relationship.
> 2. the DNS name of the IPA server itself? But if set up correctly, it already
> has an FQDN (as reported by "hostname -f"). And if you give the "--hostname"
> option, that's a FQDN not a bare hostname.
> 3. the DNS zone which IPA is authoritative for? But you can run IPA without
> integrated DNS.
> 4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts
> everything under tree "dc=foo,dc=com"?
> 5. something else?
I've tried to clarify things in man pages and on web as well. Please have a
look to changes and let us know if it is better or not, and preferably what
can be improved and in which way :-)
The modified deployment page is here:
Man page changes and changes in description of installer options are here:
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project