Re: [Freeipa-users] Kerberos realm for different domain
On 09/12/16 22:56, Stephen Ingram wrote: Can you have a domain that belongs to a Kerberos realm with a completely different domain? For example, could example.com belong to the ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the necessary SRV and TXT records to locate it and krb5.conf is configured properly? Steve Hello Steve, yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get the realm but it's not required. If you really want to have them different make sure: a) anotherdomain.com is under your control, b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS AD, ...) with ANOTHERDOMAIN.COM realm deployed. With FreeIPA you can run # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM But before you do, why do you want to have the realm different from the domain? -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos realm for different domain
On 10.12.2016 19:20, Alexander Bokovoy wrote: > On la, 10 joulu 2016, William Muriithi wrote: >> Stephen >>> >>> Can you have a domain that belongs to a Kerberos realm with a completely >>> different domain? For example, could example.com belong to the >>> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the >>> necessary SRV and TXT records to locate it and krb5.conf is configured >>> properly? >> >> This will indeed work. Its however highly discouraged by FreeIPA. > No, it is not. > >> For example, if you do go this way, you will never be able to >> establish trust relationship with Active directory as Active directory >> will not accept this setup. > This is not true at all. > >> Also, you will be on untested territory. I don't think may people use >> this setup, so the code may not be well exercised in such a setup. On >> the positive side, you could help FreeIPA project flash out any bug >> that such a setup may expose. > No, this is very well charted territory. Read a number of threads we had > just last week and before, last few months. > > In short, the situation Stephen asks an advice on is a very normal case. Let me clear up this confusion: The important thing is to have Kerberos REALM = uppercase version of DNS domain containing all the SRV records (let's call this DNS domain "primary" DNS domain). If this condition is fulfilled, AD trusts and other auto-detection procedures will work. You can add arbitrary number of FreeIPA clients to "secondary" DNS domains as long as they do not overlap with AD-managed domains and it will just work. Does it clear the confusion? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] (no subject)
Hi Rob, > > >> automount --dumpmaps sss auto.projects > >> > > Thanks, this indeed is working. Thanks for clarifying the man page. > > Its however not listing any keys on map created as child to master > > using the flag below. > > --parentmap=auto.master > > > > This seem like a bug. Could this be a corner case that was missed? > > Hard to say without seeing your maps and keys. > > You could run `ipa automountlocation-tofiles default` to see what IPA > thinks things look like. > I had checked with the above command a two weeks ago and indeed have a better result that way. Also, though I added the maps using a script (cli interface), I do see them displayed correctly and nicely on the FreeIPA GUI. Finally, they do seem to work fine as I haven't heard issue with the maps for the last 4 weeks we have been using this setup. We had them initially on the file and only migrated then to LDAP recently. Its after this migration that I noticed that some script that used to parse the auto maps as a files are now broken and have been attempting to fix then since. Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
