[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Petr Spacek
pspacek at redhat.com
Wed Aug 8 16:06:50 UTC 2012
On 08/08/2012 05:42 PM, Rob Ogilvie wrote:
> On Tue, Aug 7, 2012 at 7:03 PM, KodaK <sakodak at gmail.com> wrote:
>> It's hard to tell with the obfuscation, but is your DOMAIN the same as
>> the one handled by the domain controller vm-mapsdc2?
>
> Indeed, it is....
>
>> You can only have one Kerberos realm named DOMAIN.
>
> How do they know about each other?
There are DNS SRV records for Kerberos KDC and realm names.
Original Kerberos documentation mentions DNS is in:
http://web.mit.edu/kerberos/www/krb5-1.10/krb5-1.10.2/doc/krb5-admin.html#Using-DNS
Kerberos principles (not only DNS) are described in:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html
>
>> For example, if you have the windows domain/Kerb realm MYCOMPANY.COM,
>> you will not be able to have it coexist with an IPA server controlling
>> the realm MYCOMPANY.COM.
>
> That's quite unfortunate. How can I work around this? Can I create
> the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a
> DNS domain to match, or will I need to interface with the DNS admins?
> Is there a good document that describes the nature of these realms and
> their relation to DNS?
Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV
records (or let IPA to manage it).
You can configure each all servers and client statically with /etc/krb5.conf,
but it is error-prone and not scalable.
Configuration with AD and IPA with same domain name is not supported, because
it confuses Kerberos libraries.
Petr^2 Spacek
>
>> If it's an oldschool NT type domain you should be OK, but if it's
>> Active Directory (which uses Kerberos) you can't do it.
>
> It's an Active Directory domain.
>
> Rob
More information about the Freeipa-users
mailing list