Re: [Freeipa-users] mutiple domain, single realm

2013-03-26 Thread Alexander Bokovoy

On Tue, 26 Mar 2013, Stijn De Weirdt wrote:

hi all,

how can one add more domains to the same (existing) realm with ipa? 
we would like to bring multiple networks (some private, some public) 
under a single realm. as far as i understand krb5.conf, it means 
creating the following domain_realm section


[domain_realm]
.domain1 = REALM
.domain2 = REALM

reading the documentation, i didn't find any clues how to do this 
with ipa. default ipa server creation seems to assume a one-to-one 
mapping between domain and realm.

It should be done mostly in the same way. As long as all clients and
servers have these mappings configured, they should be able to work.
Right now you have to maintain all these mappings manually, both at
client and server sides.

For 3.2 release or shortly afterwards we are trying to make it easier
configurable. 3.1.3 will have 'ipa realmdomains' command to manage
associated domains' list -- i.e. which DNS domains are associated with
our own realm. 3.2 will have this list exposed to trusted AD domains so
that they can see our topology and know where to send TGT requests (our
KDCs). In addition KDC driver will be able to use the same list to
augment the mapping in KDC. SSSD is also going to fetch the list like it
fetches now list of trusted domains and configures them for clients.

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] mutiple domain, single realm

2013-03-26 Thread Stijn De Weirdt
thanks for the info. i'll setup a test with current branch and see if 
that works for us.


stijn

On 03/26/2013 01:52 PM, Alexander Bokovoy wrote:

On Tue, 26 Mar 2013, Stijn De Weirdt wrote:

hi all,

how can one add more domains to the same (existing) realm with ipa? we
would like to bring multiple networks (some private, some public)
under a single realm. as far as i understand krb5.conf, it means
creating the following domain_realm section

[domain_realm]
.domain1 = REALM
.domain2 = REALM

reading the documentation, i didn't find any clues how to do this with
ipa. default ipa server creation seems to assume a one-to-one mapping
between domain and realm.

It should be done mostly in the same way. As long as all clients and
servers have these mappings configured, they should be able to work.
Right now you have to maintain all these mappings manually, both at
client and server sides.

For 3.2 release or shortly afterwards we are trying to make it easier
configurable. 3.1.3 will have 'ipa realmdomains' command to manage
associated domains' list -- i.e. which DNS domains are associated with
our own realm. 3.2 will have this list exposed to trusted AD domains so
that they can see our topology and know where to send TGT requests (our
KDCs). In addition KDC driver will be able to use the same list to
augment the mapping in KDC. SSSD is also going to fetch the list like it
fetches now list of trusted domains and configures them for clients.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users