On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com
<mailto:dku...@redhat.com>> wrote:
yes you can do it. DNS domain and Kerberos realm are two different
things. It's common and AFAIK recommended to capitalize DNS domain
to get the realm but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com <http://anotherdomain.com/> is under your
control,
b) you don't already have other Kerberos instance (FreeIPA, MIT
KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
<http://anotherdomain.com/> realm deployed.
With FreeIPA you can run
# ipa-server-install --domain example.com
<http://example.com/> --realm ANOTHERDOMAIN.COM
<http://anotherdomain.com/>
But before you do, why do you want to have the realm different
from the domain?
Question: what "domain" does the --domain option to ipa-server-install
actually refer to?
The man page just says " Your DNS domain name". But what does it
actually alter?
1. the DNS domain which holds the kerberos realm location information? I
don't think so; I think if you are searching for realm FOO.COM you'll
always look in the DNS under "foo.com", that's a fixed relationship.
2. the DNS name of the IPA server itself? But if set up correctly, it
already has an FQDN (as reported by "hostname -f"). And if you give the
"--hostname" option, that's a FQDN not a bare hostname.
3. the DNS zone which IPA is authoritative for? But you can run IPA
without integrated DNS.
4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com"
puts everything under tree "dc=foo,dc=com"?
5. something else?
Thanks,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project