Re: [Freeipa-users] Kerberos realm for different domain

Tue, 13 Dec 2016 01:17:41 -0800 

On 13/12/16 07:52, Stephen Ingram wrote:

On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com> wrote:



yes you can do it. DNS domain and Kerberos realm are two different things.
It's common and AFAIK recommended to capitalize DNS domain to get the realm
but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com is under your control,
b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm
deployed.

With FreeIPA you can run
# ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
<http://anotherdomain.com/>

But before you do, why do you want to have the realm different from the
domain?



David-

We have multiple domains that we want to manage under one Kerberos realm. I
see that's it's possible for FreeIPA to manage multiple realms, but, for
simplicity, I'd rather use just one and have all domains underneath:

REALM.COM
controls example1.com, example2.com, example3.com, etc.

Since we control all domain's DNS, we would create text records for each of
the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
also create SRV records for each of the example{x}.com domains directing
Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
like to do it so we can keep everything in one easily managed lot.

Steve

P.S. I got several pornny spammy replies to this message. Is someone
sneaking into this list somehow?




Hello Steve,
in fact it's not possible to manage multiple Kerberos realms in one FreeIPA deployment. And judging from your description it also isn't what you want. On the other hand, having one realm and multiple DNS domains is standard situation and usually the name of the realm is derived from the primary domain (e.g. the one that matches organization name). If all your domains are equal just pick the one that you're most sure you'll keep under your control.
Regarding the spamming problem, we're all receiving it and the main problem is that the spam is not targeting freeipa-users@ list but the individual addresses in conversations. There's not much we can do but Simo is trying to find a solution. 
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to