On 15.12.2016 23:59, Brian Candler wrote: >> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka <dku...@redhat.com >> <mailto:dku...@redhat.com>> wrote: >> >> >> yes you can do it. DNS domain and Kerberos realm are two different >> things. It's common and AFAIK recommended to capitalize DNS domain >> to get the realm but it's not required. >> If you really want to have them different make sure: >> a) anotherdomain.com <http://anotherdomain.com/> is under your >> control, >> b) you don't already have other Kerberos instance (FreeIPA, MIT >> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM >> <http://anotherdomain.com/> realm deployed. >> >> With FreeIPA you can run >> # ipa-server-install --domain example.com >> <http://example.com/> --realm ANOTHERDOMAIN.COM >> <http://anotherdomain.com/> >> >> But before you do, why do you want to have the realm different >> from the domain? >> >> > > Question: what "domain" does the --domain option to ipa-server-install > actually refer to? > > The man page just says " Your DNS domain name". But what does it actually > alter? > > 1. the DNS domain which holds the kerberos realm location information? I don't > think so; I think if you are searching for realm FOO.COM you'll always look in > the DNS under "foo.com", that's a fixed relationship. > > 2. the DNS name of the IPA server itself? But if set up correctly, it already > has an FQDN (as reported by "hostname -f"). And if you give the "--hostname" > option, that's a FQDN not a bare hostname. > > 3. the DNS zone which IPA is authoritative for? But you can run IPA without > integrated DNS. > > 4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts > everything under tree "dc=foo,dc=com"? > > 5. something else?
I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way :-) The modified deployment page is here: http://www.freeipa.org/page/Deployment_Recommendations Man page changes and changes in description of installer options are here: https://github.com/freeipa/freeipa/pull/352 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project