Re: [Freeipa-users] The concept of sites...
I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com- ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp insrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp insrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli. Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com- ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp in srv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp in srv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___
Re: [Freeipa-users] The concept of sites...
Hi Siggi, I see and agree fully - we need something like this... Ondrej On 10/20/2011 11:55 AM, Sigbjorn Lie wrote: Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli. Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: I have come across this already, BZ already created: https://fedorahosted.org/sssd/ticket/1032 On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com- ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp in srv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp in srv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin
Re: [Freeipa-users] The concept of sites...
On 10/19/2011 03:14 PM, Sigbjorn Lie wrote: Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcpinsrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcpinsrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Please file an RFE in BZ. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
On Wed, 2011-10-19 at 15:24 -0400, Dmitri Pal wrote: On 10/19/2011 03:14 PM, Sigbjorn Lie wrote: Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcpinsrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcpinsrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Please file an RFE in BZ. Please take a look at this document before filing any bz: http://freeipa.org/page/DNS_Location_Discovery Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcpinsrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcpinsrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcpinsrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcpinsrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
On Wed, October 19, 2011 21:27, Simo Sorce wrote: On Wed, 2011-10-19 at 15:24 -0400, Dmitri Pal wrote: On 10/19/2011 03:14 PM, Sigbjorn Lie wrote: Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcpinsrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcpinsrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Please file an RFE in BZ. Please take a look at this document before filing any bz: http://freeipa.org/page/DNS_Location_Discovery SPF uses TXT records. Could the SUBNET dns records be substituted with TXT records? Use the configured LDAP base as dns search as fallback if there is no records found in the dns domain given by the dhcp server? I understand that was your major conserns? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] The concept of sites...
The London/newyork dns sub-domains would be used for looking up srv records for the local kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP base would still be the ipa.domain.com. Sync with AD would still be done between ipa.domain.com - ad.domain.com. Rgds, Siggi On Wed, October 19, 2011 22:15, Steven Jones wrote: Ah right, yes, one realm. However how would you password sync with AD? So sayLondon.ad.ms.com and Newyork.ad.ms.com With NY as the head So with london.ipa.unix.com and newyork.ipa.unix.com Is there still only one winsync agreement? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 9:11 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] The concept of sites... I see your point with a messy dns infrastructure, however this would happen in the background. You would still only have one kerberos realm per IPA instance. Rgds, Siggi On Wed, October 19, 2011 21:30, Steven Jones wrote: Hi, I think AD sort of does this which they have now backed away from? From my very limited understanding having sub-domains/realms seems to be counter-productivein that trying to do cross-realm trusts/passwords/user info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, 20 October 2011 8:14 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcpinsrv0 100 389 boston-ipa-server1 _ldap._tcp insrv0 100 389 boston-ipa-server2 . London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcpinsrv0 100 389 london-ipa-server1 _ldap._tcp insrv0 100 389 london-ipa-server2 Now point the client's DNS search entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain Sites within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users