On 10.12.2016 19:20, Alexander Bokovoy wrote: > On la, 10 joulu 2016, William Muriithi wrote: >> Stephen >>> >>> Can you have a domain that belongs to a Kerberos realm with a completely >>> different domain? For example, could example.com belong to the >>> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the >>> necessary SRV and TXT records to locate it and krb5.conf is configured >>> properly? >> >> This will indeed work. Its however highly discouraged by FreeIPA. > No, it is not. > >> For example, if you do go this way, you will never be able to >> establish trust relationship with Active directory as Active directory >> will not accept this setup. > This is not true at all. > >> Also, you will be on untested territory. I don't think may people use >> this setup, so the code may not be well exercised in such a setup. On >> the positive side, you could help FreeIPA project flash out any bug >> that such a setup may expose. > No, this is very well charted territory. Read a number of threads we had > just last week and before, last few months. > > In short, the situation Stephen asks an advice on is a very normal case.
Let me clear up this confusion: The important thing is to have Kerberos REALM = uppercase version of DNS domain containing all the SRV records (let's call this DNS domain "primary" DNS domain). If this condition is fulfilled, AD trusts and other auto-detection procedures will work. You can add arbitrary number of FreeIPA clients to "secondary" DNS domains as long as they do not overlap with AD-managed domains and it will just work. Does it clear the confusion? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project