[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept

Fri Aug 10 08:11:51 UTC 2012

On 08/08/2012 08:07 PM, Simo Sorce wrote:
> On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote:
>> On 08/08/2012 07:27 PM, Rob Ogilvie wrote:
>>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek <pspacek at redhat.com> wrote:
>>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
>>>> SRV records (or let IPA to manage it).
>>>
>>> Ugh, I hope this doesn't end up pushing us back to NIS.
>>>
>>> If I can get our infrastructure guys to buy off on making a
>>> unix.mycompany.com subdomain in DNS, would I need to move all the
>>> hosts to be under that subdomain in DNS?  I have some services
>>
>> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV
>> records and leave this subdomain without hosts (maybe except IPA servers ...).
>> It is not necessary to rename all hosts.
>>
>> Problem is simple - Kerberos libraries have to know where KDCs are located -
>> and DNS is standardized way how to accomplish it.
>>
>> Let me quote another reply from this thread:
>> On 08/08/2012 06:14 PM, KodaK wrote:
>>   > You*could*  use something like puppet to manage your krb5.conf files
>>   > (I have to with our AIX machines.)
>>   >
>>   > Also, it's important to note that your REALM does NOT need to match
>>   > your dns domain name
>>   > It's a convenience, and it's very, very helpful to do so, but it is
>>   > possible to have a REALM called
>>   > "MIDDLEEARTH" if you wanted.  I'm not sure how IPA would deal with
>>   > that, but I know you
>>   > can do it in straight up Kerberos.
>>
>>
>>> configured that are difficult to rename the DNS domain of.  Could, for
>>> instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM
>>> realm, given a MYCOMPANY.COM realm also exists?
>>
>> Yes, it could.
>>
>>>
>>> I could then put some SRV records into the subdomain's zone to point
>>> the kerberos stuff to the IPA server, change the domain on the IPA
>>> server, change the realm on the IPA server, re-register clients, and
>>> everything would be happy?
>>
>> I get lost in the renaming part. Can you describe your idea in bigger detail?
>>
>>>
>>> Ugh... actually... now that I think about this, I don't think I want
>>> half my servers in a unix subdomain in DNS, which means DNS and realm
>>> wouldn't match...
>>>
>>> Thoughts?  Aside from rebuilding the infrastructure I've built already?  :-)
>>
>> Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM.
>> IMHO it is simplest way.
>>
>>
>> This limitation comes from Kerberos: You are trying to use *single domain
>> name* for *two independent Kerberos realms* - it is principally not possible.
>
> I just need to pint one one problem with leaving all machines under
> MYDOMAIN.COM, and that is if you later want to make a trust (option
> available starting from ipa 3.0) between the AD realm and the IPA realm,
> the machines in the mydomain.com domain will not be able to be accessed
> by the users of the AD realm. That is because the machines joined to the
> AD realm will think that the mydomain.com machines are always served up
> by the AD domain.
>
> On the IPA side you amy also have so issues as you will not be able to
> tell IPA clients that they need to ask the AD KDC for the hosts under
> mydomain.com
>
> So ultimately, I would put as many machines as you can under
> UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to
> establish a trust between the AD domain and the IPA domain.
>
> Simo.
>
Is possible to workaround these problems with hostname-realm mappings?

It is not clear solution, I know, but it should be doable for limited set of 
unix machines.
AFAIK Windows AD (I tested it with 2008 R2) has ability to set hostname-realm 
mappings through Group policy.

Petr^2 Spacek