On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com <mailto:dku...@redhat.com>> wrote:yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not required. If you really want to have them different make sure: a) anotherdomain.com <http://anotherdomain.com/> is under your control, b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS AD, ...) with ANOTHERDOMAIN.COM <http://anotherdomain.com/> realm deployed. With FreeIPA you can run # ipa-server-install --domain example.com <http://example.com/> --realm ANOTHERDOMAIN.COM <http://anotherdomain.com/> But before you do, why do you want to have the realm different from the domain?
Question: what "domain" does the --domain option to ipa-server-install actually refer to?
The man page just says " Your DNS domain name". But what does it actually alter?
1. the DNS domain which holds the kerberos realm location information? I don't think so; I think if you are searching for realm FOO.COM you'll always look in the DNS under "foo.com", that's a fixed relationship.
2. the DNS name of the IPA server itself? But if set up correctly, it already has an FQDN (as reported by "hostname -f"). And if you give the "--hostname" option, that's a FQDN not a bare hostname.
3. the DNS zone which IPA is authoritative for? But you can run IPA without integrated DNS.
4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts everything under tree "dc=foo,dc=com"?
5. something else? Thanks, Brian.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
