On 09/12/16 22:56, Stephen Ingram wrote:
Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?
Steve
Hello Steve,
yes you can do it. DNS domain and Kerberos realm are two different
things. It's common and AFAIK recommended to capitalize DNS domain to
get the realm but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com is under your control,
b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
AD, ...) with ANOTHERDOMAIN.COM realm deployed.
With FreeIPA you can run
# ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
But before you do, why do you want to have the realm different from the
domain?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
