Re: [Freeipa-users] Kerberos realm for different domain

2016-12-19 Thread Petr Spacek
On 15.12.2016 23:59, Brian Candler wrote: >> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > > wrote: >> >> >> yes you can do it. DNS domain and Kerberos realm are two different >> things. It's common and AFAIK recommended to capitalize DNS

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler
On 16/12/2016 10:19, Alexander Bokovoy wrote: I want to allow users in the AD.EXAMPLE.COM realm to login to machines in the IPA.EXAMPLE.COM realm. Will this still work when the machines are in different DNS domains? Yes, it will. Here is the catch: you need to make sure these different DNS

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Alexander Bokovoy
On pe, 16 joulu 2016, Brian Candler wrote: On 16/12/2016 08:21, Alexander Bokovoy wrote: So you can have IPA masters with FQDNs in totally different DNS domains than dictated by their Kerberos realm and --domain options. That I understand - not only can the IPA masters have FQDNs in

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler
On 16/12/2016 08:21, Alexander Bokovoy wrote: So you can have IPA masters with FQDNs in totally different DNS domains than dictated by their Kerberos realm and --domain options. That I understand - not only can the IPA masters have FQDNs in different DNS domains, but indeed the member

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Alexander Bokovoy
On to, 15 joulu 2016, Brian Candler wrote: On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-15 Thread Brian Candler
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not required. If

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-13 Thread David Kupka
On 13/12/16 07:52, Stephen Ingram wrote: On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not required. If

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-12 Thread Stephen Ingram
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka wrote: > > yes you can do it. DNS domain and Kerberos realm are two different things. > It's common and AFAIK recommended to capitalize DNS domain to get the realm > but it's not required. > If you really want to have them

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-11 Thread David Kupka
On 09/12/16 22:56, Stephen Ingram wrote: Can you have a domain that belongs to a Kerberos realm with a completely different domain? For example, could example.com belong to the ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the necessary SRV and TXT records to locate it

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-11 Thread Petr Spacek
On 10.12.2016 19:20, Alexander Bokovoy wrote: > On la, 10 joulu 2016, William Muriithi wrote: >> Stephen >>> >>> Can you have a domain that belongs to a Kerberos realm with a completely >>> different domain? For example, could example.com belong to the >>> ANOTHERDOMAIN.COM realm as long as we

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-10 Thread Alexander Bokovoy
On la, 10 joulu 2016, William Muriithi wrote: Stephen Can you have a domain that belongs to a Kerberos realm with a completely different domain? For example, could example.com belong to the ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the necessary SRV and TXT

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-10 Thread William Muriithi
Stephen > > Can you have a domain that belongs to a Kerberos realm with a completely > different domain? For example, could example.com belong to the > ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the > necessary SRV and TXT records to locate it and krb5.conf is