Re: [Freeipa-users] Kerberos realm for different domain

2016-12-19 Thread Petr Spacek 
On 15.12.2016 23:59, Brian Candler wrote:
>> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > > wrote:
>>
>>
>> yes you can do it. DNS domain and Kerberos realm are two different
>> things. It's common and AFAIK recommended to capitalize DNS domain
>> to get the realm but it's not required.
>> If you really want to have them different make sure:
>> a) anotherdomain.com  is under your
>> control,
>> b) you don't already have other Kerberos instance (FreeIPA, MIT
>> KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
>>  realm deployed.
>>
>> With FreeIPA you can run
>> # ipa-server-install --domain example.com
>>  --realm ANOTHERDOMAIN.COM
>> 
>>
>> But before you do, why do you want to have the realm different
>> from the domain?
>>
>>
> 
> Question: what "domain" does the --domain option to ipa-server-install
> actually refer to?
> 
> The man page just says " Your DNS domain name". But what does it actually 
> alter?
> 
> 1. the DNS domain which holds the kerberos realm location information? I don't
> think so; I think if you are searching for realm FOO.COM you'll always look in
> the DNS under "foo.com", that's a fixed relationship.
> 
> 2. the DNS name of the IPA server itself? But if set up correctly, it already
> has an FQDN (as reported by "hostname -f"). And if you give the "--hostname"
> option, that's a FQDN not a bare hostname.
> 
> 3. the DNS zone which IPA is authoritative for? But you can run IPA without
> integrated DNS.
> 
> 4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" puts
> everything under tree "dc=foo,dc=com"?
> 
> 5. something else?

I've tried to clarify things in man pages and on web as well. Please have a
look to changes and let us know if it is better or not, and preferably what
can be improved and in which way :-)

The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations

Man page changes and changes in description of installer options are here:
https://github.com/freeipa/freeipa/pull/352

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler 

On 16/12/2016 10:19, Alexander Bokovoy wrote:
I want to allow users in the AD.EXAMPLE.COM realm to login to 
machines in the IPA.EXAMPLE.COM realm.


Will this still work when the machines are in different DNS domains? 

Yes, it will. Here is the catch: you need to make sure these different
DNS domains all mentioned in 'ipa realmdomains-show' and if not, they
should be added by use of 'ipa realmdomains-mod'. None of these domains
must overlap with Active Directory domains, of course. 


Fantastic answer. Thank you so much for taking the time to explain this.

Regards,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Alexander Bokovoy 

On pe, 16 joulu 2016, Brian Candler wrote:

On 16/12/2016 08:21, Alexander Bokovoy wrote:


So you can have IPA masters with FQDNs in totally different DNS domains
than dictated by their Kerberos realm and --domain options.


That I understand - not only can the IPA masters have FQDNs in 
different DNS domains, but indeed the member machines of that realm as 
well.


What was unclear to me was whether "ipa-server-install --domain xxx" 
affects the content of the database being built (and therefore 
replicated later to the slaves), or is just something local to the 
host itself.


In the manpage for "ipa-client-install" it's much clearer: in that 
case, it says that --domain is the starting domain for LDAP server 
auto-discovery.


To clarify, there are several DNS auto-discovery mechanisms. Two of 
them are described in the MIT docs at

https://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS

(1) Map hostname aaa.bbb.ccc to realm xxx.yyy.zzz

Look for TXT records for _kerberos.aaa.bbb.ccc, _kerberos.bbb.ccc, 
_kerberos.ccc. The TXT record gives the realm that this host belongs 
to.


(2) Realm xxx.yyy.zzz to Kerberos servers for that realm

Given realm xxx.yyy.zzz, look for in the DNS for SRV records for
_kerberos._udp.xxx.yyy.zzz
_kerberos-master._udp.xxx.yyy.zzz
_kpasswd._udp.xxx.yyy.zzz

This is all very clear.

Now, the manpage for ipa-client-install describes another one, which 
is where I get a bit fuzzy:


(3)

  DNS Autodiscovery
  Client installer by default tries to search for 
_ldap._tcp.DOMAIN  DNS SRV  records for all domains that are parent to

its hostname.  For example, if a client machine has a hostname
'client1.lab.example.com',  the installer will try to retrieve
an IPA server hostname from _ldap._tcp.lab.example.com,
_ldap._tcp.example.com and _ldap._tcp.com DNS  SRV  records,
respectively. The discovered domain is then used to configure client
components (e.g. SSSD and Kerberos 5 configuration) on
the machine.

What it doesn't actually say (but I believe must be true) is that what 
it calls the "discovered domain" is in fact the *realm* to use.  If 
so, effectively this is algorithm (2) in reverse: instead of using it 
for realm to SRV mapping, you hunt for a domain which contains the 
right SRV records and use this to infer your realm.


Is that right?

In case of IPA client you need to deal with both Kerberos realm and
application-level LDAP servers. The latter aren't related to Kerberos
realm themselves. However, authentication to them is based on GSSAPI and
thus Kerberos. So discovery of the LDAP servers is done via SRV records
according to https://tools.ietf.org/html/draft-ietf-ldapext-locate-08
and RFC2782 but Kerberos configuration is done based on the
corresponding DNS SRV records too (_ldap versus _kerberos for two
different purposes).

It became customary when Active Directory was introduced in 2000, that
when both _ldap..domain and _kerberos..domain DNS
SRV records exist, they are assumed to be explaining the services from
the same Kerberos realm. On MIT Kerberos side use of DNS TXT record
allows you to easily discover the actual name of the realm too. On
Active Directory side it is not the case but there realm name is equal
to the DNS domain name for the AD domains and additional DNS domains are
actually discovered through completely different means -- by using
netr_DsRGetForestTrustInformation function over LSA pipe.

(Is this a mechanism modelled on Active Directory? Otherwise, I would 
have thought you could use MIT algorithm (1) to discover your realm)

https://tools.ietf.org/html/draft-ietf-ldapext-locate-08 was driven by
Microsoft and since early 2000s was implemented in many LDAP libraries.
Needless to say, OpenLDAP utilities supports DNS SRV records discovery too,
see -H option in ldapsearch manual page for example.


After all, these are *flexibility* options. They are not supposed to
make sense in all combinations. Where they aren't making sense, you are
allowed to shoot yourself in your feet if you know what you are doing.


Absolutely, and I don't want to get this wrong and have to start again :-)

OK, I have a final question on the planning of realms and DNS.

As we've already said, in an IPA-only installation, the machines which 
are members of the realms can happily have hostnames which are 
unrelated to the realm name: e.g.


IPA.EXAMPLE.COM
| | |
machines .foo.com
machines .bar.com

A user in IPA.EXAMPLE.COM can login to host .foo.com, either 
because their krb5.conf has a static domain->realm mapping, or there's 
a DNS entry: _kerberos.foo.com TXT "IPA.EXAMPLE.COM"


However, suppose I plan to end up with a trust to an Active Directory 
/ Samba4 realm:


AD.EXAMPLE.COM <--trust--> IPA.EXAMPLE.COM
   | | |  | | |
   usersmachines

I want to allow users in the AD.EXAMPLE.COM realm to login to machines 
in the IPA.EXAMPLE.COM realm.


Will this still work when the machines are in

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Brian Candler 

On 16/12/2016 08:21, Alexander Bokovoy wrote:


So you can have IPA masters with FQDNs in totally different DNS domains
than dictated by their Kerberos realm and --domain options.


That I understand - not only can the IPA masters have FQDNs in different 
DNS domains, but indeed the member machines of that realm as well.


What was unclear to me was whether "ipa-server-install --domain xxx" 
affects the content of the database being built (and therefore 
replicated later to the slaves), or is just something local to the host 
itself.


In the manpage for "ipa-client-install" it's much clearer: in that case, 
it says that --domain is the starting domain for LDAP server auto-discovery.


To clarify, there are several DNS auto-discovery mechanisms. Two of them 
are described in the MIT docs at

https://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS

(1) Map hostname aaa.bbb.ccc to realm xxx.yyy.zzz

Look for TXT records for _kerberos.aaa.bbb.ccc, _kerberos.bbb.ccc, 
_kerberos.ccc. The TXT record gives the realm that this host belongs to.


(2) Realm xxx.yyy.zzz to Kerberos servers for that realm

Given realm xxx.yyy.zzz, look for in the DNS for SRV records for
_kerberos._udp.xxx.yyy.zzz
_kerberos-master._udp.xxx.yyy.zzz
_kpasswd._udp.xxx.yyy.zzz

This is all very clear.

Now, the manpage for ipa-client-install describes another one, which is 
where I get a bit fuzzy:


(3)

   DNS Autodiscovery
   Client installer by default tries to search for 
_ldap._tcp.DOMAIN  DNS
   SRV  records for all domains that are parent to its hostname. 
For exam-
   ple, if a client machine has a hostname 
'client1.lab.example.com',  the
   installer   will   try   to   retrieve  an  IPA  server 
hostname  from
   _ldap._tcp.lab.example.com, _ldap._tcp.example.com  and 
_ldap._tcp.com
   DNS  SRV  records,  respectively. The discovered domain is then 
used to
   configure client components (e.g. SSSD and Kerberos 5 
configuration) on

   the machine.

What it doesn't actually say (but I believe must be true) is that what 
it calls the "discovered domain" is in fact the *realm* to use.  If so, 
effectively this is algorithm (2) in reverse: instead of using it for 
realm to SRV mapping, you hunt for a domain which contains the right SRV 
records and use this to infer your realm.


Is that right?

(Is this a mechanism modelled on Active Directory? Otherwise, I would 
have thought you could use MIT algorithm (1) to discover your realm)




After all, these are *flexibility* options. They are not supposed to
make sense in all combinations. Where they aren't making sense, you are
allowed to shoot yourself in your feet if you know what you are doing.


Absolutely, and I don't want to get this wrong and have to start again :-)

OK, I have a final question on the planning of realms and DNS.

As we've already said, in an IPA-only installation, the machines which 
are members of the realms can happily have hostnames which are unrelated 
to the realm name: e.g.


 IPA.EXAMPLE.COM
 | | |
machines .foo.com
machines .bar.com

A user in IPA.EXAMPLE.COM can login to host .foo.com, either 
because their krb5.conf has a static domain->realm mapping, or there's a 
DNS entry: _kerberos.foo.com TXT "IPA.EXAMPLE.COM"


However, suppose I plan to end up with a trust to an Active Directory / 
Samba4 realm:


AD.EXAMPLE.COM <--trust--> IPA.EXAMPLE.COM
| | |  | | |
usersmachines

I want to allow users in the AD.EXAMPLE.COM realm to login to machines 
in the IPA.EXAMPLE.COM realm.


Will this still work when the machines are in different DNS domains? Or 
at this point, am I forced to give all the machines hostnames of the 
form .ipa.example.com ?


If the latter is true, it would be wise for me to start naming my hosts 
.ipa.example.com in the first place.


Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-16 Thread Alexander Bokovoy 

On to, 15 joulu 2016, Brian Candler wrote:
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote:



   yes you can do it. DNS domain and Kerberos realm are two different
   things. It's common and AFAIK recommended to capitalize DNS domain
   to get the realm but it's not required.
   If you really want to have them different make sure:
   a) anotherdomain.com  is under your
   control,
   b) you don't already have other Kerberos instance (FreeIPA, MIT
   KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
    realm deployed.

   With FreeIPA you can run
   # ipa-server-install --domain example.com
    --realm ANOTHERDOMAIN.COM
   

   But before you do, why do you want to have the realm different
   from the domain?




Question: what "domain" does the --domain option to ipa-server-install 
actually refer to?


The man page just says " Your DNS domain name". But what does it 
actually alter?


1. the DNS domain which holds the kerberos realm location information? 
I don't think so; I think if you are searching for realm FOO.COM 
you'll always look in the DNS under "foo.com", that's a fixed 
relationship.


2. the DNS name of the IPA server itself? But if set up correctly, it 
already has an FQDN (as reported by "hostname -f"). And if you give 
the "--hostname" option, that's a FQDN not a bare hostname.


3. the DNS zone which IPA is authoritative for? But you can run IPA 
without integrated DNS.


4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" 
puts everything under tree "dc=foo,dc=com"?


5. something else?

It is a combination of some of the above.

LDAP base DN is generated based on the realm name. DNS domain specified
in --domain option is considered a DNS domain we are authoritative for
in the case we install with integrated DNS server. Kerberos realm name
effectively forces use of the DNS domain equal to the realm name as your
primary DNS domain (forest root domain in terms of Active Directory),
but given that we could remap DNS and realm relationship with krb5.conf,
we are at a bit more flexibility than Active Directory design allows
here.

So you can have IPA masters with FQDNs in totally different DNS domains
than dictated by their Kerberos realm and --domain options. In such
situation you would need to make sure there are additional hints for the
IPA clients to properly find these IPA masters, but nothing dramatically
serious. You can have Kerberos realm and --domain options to point to
different DNS domains too, though we would not recommend that in a
longer term given you'd still need to own DNS domain named as your
Kerberos realm to have autodiscovery working.

After all, these are *flexibility* options. They are not supposed to
make sense in all combinations. Where they aren't making sense, you are
allowed to shoot yourself in your feet if you know what you are doing.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-15 Thread Brian Candler 
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote:



yes you can do it. DNS domain and Kerberos realm are two different
things. It's common and AFAIK recommended to capitalize DNS domain
to get the realm but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com  is under your
control,
b) you don't already have other Kerberos instance (FreeIPA, MIT
KRB5, MS AD, ...) with ANOTHERDOMAIN.COM
 realm deployed.

With FreeIPA you can run
# ipa-server-install --domain example.com
 --realm ANOTHERDOMAIN.COM


But before you do, why do you want to have the realm different
from the domain?




Question: what "domain" does the --domain option to ipa-server-install 
actually refer to?


The man page just says " Your DNS domain name". But what does it 
actually alter?


1. the DNS domain which holds the kerberos realm location information? I 
don't think so; I think if you are searching for realm FOO.COM you'll 
always look in the DNS under "foo.com", that's a fixed relationship.


2. the DNS name of the IPA server itself? But if set up correctly, it 
already has an FQDN (as reported by "hostname -f"). And if you give the 
"--hostname" option, that's a FQDN not a bare hostname.


3. the DNS zone which IPA is authoritative for? But you can run IPA 
without integrated DNS.


4. the LDAP base DN? I guess that could be it: e.g. "--domain foo.com" 
puts everything under tree "dc=foo,dc=com"?


5. something else?

Thanks,

Brian.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-13 Thread David Kupka 

On 13/12/16 07:52, Stephen Ingram wrote:

On Sun, Dec 11, 2016 at 11:31 PM, David Kupka  wrote:



yes you can do it. DNS domain and Kerberos realm are two different things.
It's common and AFAIK recommended to capitalize DNS domain to get the realm
but it's not required.
If you really want to have them different make sure:
a) anotherdomain.com is under your control,
b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
AD, ...) with ANOTHERDOMAIN.COM  realm
deployed.

With FreeIPA you can run
# ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM


But before you do, why do you want to have the realm different from the
domain?



David-

We have multiple domains that we want to manage under one Kerberos realm. I
see that's it's possible for FreeIPA to manage multiple realms, but, for
simplicity, I'd rather use just one and have all domains underneath:

REALM.COM
controls example1.com, example2.com, example3.com, etc.

Since we control all domain's DNS, we would create text records for each of
the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
also create SRV records for each of the example{x}.com domains directing
Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
like to do it so we can keep everything in one easily managed lot.

Steve

P.S. I got several pornny spammy replies to this message. Is someone
sneaking into this list somehow?




Hello Steve,
in fact it's not possible to manage multiple Kerberos realms in one 
FreeIPA deployment. And judging from your description it also isn't what 
you want.
On the other hand, having one realm and multiple DNS domains is standard 
situation and usually the name of the realm is derived from the primary 
domain (e.g. the one that matches organization name). If all your 
domains are equal just pick the one that you're most sure you'll keep 
under your control.


Regarding the spamming problem, we're all receiving it and the main 
problem is that the spam is not targeting freeipa-users@ list but the 
individual addresses in conversations. There's not much we can do but 
Simo is trying to find a solution.

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-12 Thread Stephen Ingram 
On Sun, Dec 11, 2016 at 11:31 PM, David Kupka  wrote:

>
> yes you can do it. DNS domain and Kerberos realm are two different things.
> It's common and AFAIK recommended to capitalize DNS domain to get the realm
> but it's not required.
> If you really want to have them different make sure:
> a) anotherdomain.com is under your control,
> b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS
> AD, ...) with ANOTHERDOMAIN.COM  realm
> deployed.
>
> With FreeIPA you can run
> # ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM
> 
>
> But before you do, why do you want to have the realm different from the
> domain?


David-

We have multiple domains that we want to manage under one Kerberos realm. I
see that's it's possible for FreeIPA to manage multiple realms, but, for
simplicity, I'd rather use just one and have all domains underneath:

REALM.COM
controls example1.com, example2.com, example3.com, etc.

Since we control all domain's DNS, we would create text records for each of
the example{x}.com domains pointing to REALM.COM Kerberos realm. We would
also create SRV records for each of the example{x}.com domains directing
Kerberos lookups to REALM.COM. I know it's a little unorthodox, but I'd
like to do it so we can keep everything in one easily managed lot.

Steve

P.S. I got several pornny spammy replies to this message. Is someone
sneaking into this list somehow?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-11 Thread David Kupka 

On 09/12/16 22:56, Stephen Ingram wrote:

Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?

Steve





Hello Steve,

yes you can do it. DNS domain and Kerberos realm are two different 
things. It's common and AFAIK recommended to capitalize DNS domain to 
get the realm but it's not required.

If you really want to have them different make sure:
a) anotherdomain.com is under your control,
b) you don't already have other Kerberos instance (FreeIPA, MIT KRB5, MS 
AD, ...) with ANOTHERDOMAIN.COM realm deployed.


With FreeIPA you can run
# ipa-server-install --domain example.com --realm ANOTHERDOMAIN.COM

But before you do, why do you want to have the realm different from the 
domain?

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-11 Thread Petr Spacek 
On 10.12.2016 19:20, Alexander Bokovoy wrote:
> On la, 10 joulu 2016, William Muriithi wrote:
>> Stephen
>>>
>>> Can you have a domain that belongs to a Kerberos realm with a completely
>>> different domain? For example, could example.com belong to the
>>> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
>>> necessary SRV and TXT records to locate it and krb5.conf is configured
>>> properly?
>>
>> This will indeed work.  Its however highly discouraged by FreeIPA.
> No, it is not.
> 
>> For example, if you do go this way, you will never be able to
>> establish trust relationship with Active directory as Active directory
>> will not accept this setup.
> This is not true at all.
> 
>> Also, you will be on untested territory.  I don't think may people use
>> this setup, so the code may not be well exercised in such a setup.  On
>> the positive side, you could help FreeIPA project flash out any bug
>> that such a setup may expose.
> No, this is very well charted territory. Read a number of threads we had
> just last week and before, last few months.
> 
> In short, the situation Stephen asks an advice on is a very normal case.

Let me clear up this confusion:
The important thing is to have Kerberos REALM = uppercase version of DNS
domain containing all the SRV records (let's call this DNS domain "primary"
DNS domain).

If this condition is fulfilled, AD trusts and other auto-detection procedures
will work. You can add arbitrary number of FreeIPA clients to "secondary" DNS
domains as long as they do not overlap with AD-managed domains and it will
just work.

Does it clear the confusion?

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-10 Thread Alexander Bokovoy 

On la, 10 joulu 2016, William Muriithi wrote:

Stephen


Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?


This will indeed work.  Its however highly discouraged by FreeIPA.

No, it is not.


For example, if you do go this way, you will never be able to
establish trust relationship with Active directory as Active directory
will not accept this setup.

This is not true at all.


Also, you will be on untested territory.  I don't think may people use
this setup, so the code may not be well exercised in such a setup.  On
the positive side, you could help FreeIPA project flash out any bug
that such a setup may expose.

No, this is very well charted territory. Read a number of threads we had
just last week and before, last few months.

In short, the situation Stephen asks an advice on is a very normal case.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos realm for different domain

2016-12-10 Thread William Muriithi 
Stephen
>
> Can you have a domain that belongs to a Kerberos realm with a completely
> different domain? For example, could example.com belong to the
> ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
> necessary SRV and TXT records to locate it and krb5.conf is configured
> properly?

This will indeed work.  Its however highly discouraged by FreeIPA.
For example, if you do go this way, you will never be able to
establish trust relationship with Active directory as Active directory
will not accept this setup.

Also, you will be on untested territory.  I don't think may people use
this setup, so the code may not be well exercised in such a setup.  On
the positive side, you could help FreeIPA project flash out any bug
that such a setup may expose.

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Kerberos realm for different domain

2016-12-09 Thread Stephen Ingram 
Can you have a domain that belongs to a Kerberos realm with a completely
different domain? For example, could example.com belong to the
ANOTHERDOMAIN.COM realm as long as we control DNS for both and have all the
necessary SRV and TXT records to locate it and krb5.conf is configured
properly?

Steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project