On 27/10/2016 10:07, Brian Candler wrote:
To the OP: in that case, I'd still recommend that you choose a
distinct kerberos realm like IPA.YOURCOMPANY.COM, with associated
primary domain "ipa.yourcompany.com", and let FreeIPA manage that
domain so that it sets up all the right SRV records for
auto-discovery. But you don't need to put any hosts inside that DNS
domain at all.
Aside: I have just been trying this out.
What's slightly confusing is that the ipa server-install process
requires you to set a "domain name" as well as a realm, and it's not
clear to me which "domain" to put here. Is this the domain which
corresponds to the realm, or the domain which the clients normally
reside in, or something else?
For example, suppose I have realm IPA.MYCOMPANY.COM but my servers are
xxx.int.mycompany.com. Should I set the FreeIPA "domain" to
ipa.mycompany.com or int.mycompany.com, or mycompany.com ?
After some experimentation, it seems that the LDAP baseDN is always
taken from the realm (dc=ipa,dc=mycompany,dc=com). But the DNS domain is
used for:
- nisDomain and associatedDomain
- ipaDefaultEmailDomain
- crucially, the SRV records are published under the DNS domain
So it looks like really you should put "ipa.mycompany.com" as the DNS
domain, even if the IPA servers are in a different domain.
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
