[Freeipa-users] New FreeIPA Install; Testing for Proof of Concept

Simo Sorce ssorce at redhat.com
Sun Aug 12 10:05:41 UTC 2012



----- Original Message -----
> On 08/08/2012 08:07 PM, Simo Sorce wrote:
> > On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote:
> >> On 08/08/2012 07:27 PM, Rob Ogilvie wrote:
> >>> On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek <pspacek at redhat.com>
> >>> wrote:
> >>>> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it
> >>>> with proper
> >>>> SRV records (or let IPA to manage it).
> >>>
> >>> Ugh, I hope this doesn't end up pushing us back to NIS.
> >>>
> >>> If I can get our infrastructure guys to buy off on making a
> >>> unix.mycompany.com subdomain in DNS, would I need to move all the
> >>> hosts to be under that subdomain in DNS?  I have some services
> >>
> >> Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill
> >> it with SRV
> >> records and leave this subdomain without hosts (maybe except IPA
> >> servers ...).
> >> It is not necessary to rename all hosts.
> >>
> >> Problem is simple - Kerberos libraries have to know where KDCs are
> >> located -
> >> and DNS is standardized way how to accomplish it.
> >>
> >> Let me quote another reply from this thread:
> >> On 08/08/2012 06:14 PM, KodaK wrote:
> >>   > You*could*  use something like puppet to manage your krb5.conf
> >>   > files
> >>   > (I have to with our AIX machines.)
> >>   >
> >>   > Also, it's important to note that your REALM does NOT need to
> >>   > match
> >>   > your dns domain name
> >>   > It's a convenience, and it's very, very helpful to do so, but
> >>   > it is
> >>   > possible to have a REALM called
> >>   > "MIDDLEEARTH" if you wanted.  I'm not sure how IPA would deal
> >>   > with
> >>   > that, but I know you
> >>   > can do it in straight up Kerberos.
> >>
> >>
> >>> configured that are difficult to rename the DNS domain of.
> >>>  Could, for
> >>> instance, host-one.mycompany.com be part of the
> >>> UNIX.MYCOMPANY.COM
> >>> realm, given a MYCOMPANY.COM realm also exists?
> >>
> >> Yes, it could.
> >>
> >>>
> >>> I could then put some SRV records into the subdomain's zone to
> >>> point
> >>> the kerberos stuff to the IPA server, change the domain on the
> >>> IPA
> >>> server, change the realm on the IPA server, re-register clients,
> >>> and
> >>> everything would be happy?
> >>
> >> I get lost in the renaming part. Can you describe your idea in
> >> bigger detail?
> >>
> >>>
> >>> Ugh... actually... now that I think about this, I don't think I
> >>> want
> >>> half my servers in a unix subdomain in DNS, which means DNS and
> >>> realm
> >>> wouldn't match...
> >>>
> >>> Thoughts?  Aside from rebuilding the infrastructure I've built
> >>> already?  :-)
> >>
> >> Let all machines in MYCOMPANY.COM and use IPA realm
> >> UNIX.MYCOMPANY.COM.
> >> IMHO it is simplest way.
> >>
> >>
> >> This limitation comes from Kerberos: You are trying to use *single
> >> domain
> >> name* for *two independent Kerberos realms* - it is principally
> >> not possible.
> >
> > I just need to pint one one problem with leaving all machines under
> > MYDOMAIN.COM, and that is if you later want to make a trust (option
> > available starting from ipa 3.0) between the AD realm and the IPA
> > realm,
> > the machines in the mydomain.com domain will not be able to be
> > accessed
> > by the users of the AD realm. That is because the machines joined
> > to the
> > AD realm will think that the mydomain.com machines are always
> > served up
> > by the AD domain.
> >
> > On the IPA side you amy also have so issues as you will not be able
> > to
> > tell IPA clients that they need to ask the AD KDC for the hosts
> > under
> > mydomain.com
> >
> > So ultimately, I would put as many machines as you can under
> > UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want
> > to
> > establish a trust between the AD domain and the IPA domain.
> >
> > Simo.
> >
> Is possible to workaround these problems with hostname-realm
> mappings?
> 
> It is not clear solution, I know, but it should be doable for limited
> set of
> unix machines.
> AFAIK Windows AD (I tested it with 2008 R2) has ability to set
> hostname-realm
> mappings through Group policy.

Yes from the Linux side it is possible to map single hostnames to a realm, so the top domain could be generally mapped to the AD realm, and then single hosts mapped to the IPA realm. This is not possible for windows machines in the AD domain though (afaik).

Simo.




More information about the Freeipa-users mailing list