[Freeipa-users] Two kerberos realms for same domainname?
Alexander Bokovoy
abokovoy at redhat.com
Thu May 9 07:35:58 UTC 2013
On Wed, 08 May 2013, Paul Robert Marino wrote:
>the client picks Realm based on the domain name of the host.
>you can control the behavior on the client via the KRB5.conf but the
>assumption is you have 1 realm per domain or host.
>
>>From man krb5.conf
>
>
>"
>DOMAIN_REALM SECTION
> The [domain_realm] section provides a translation from a hostname to
>the Kerberos realm name for the services provided by that host.
>
> The tag name can be a hostname, or a domain name, where domain names
>are indicated by a prefix of a period (â.â) character. The value
> of the relation is the Kerberos realm name for that particular host
>or domain. Host names and domain names should be in lower case.
>
> If no translation entry applies, the hostâs realm is considered to
>be the hostnameâs domain portion converted to upper case. For
> example, the following [domain_realm] section:
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> dodo.mit.edu = SMS_TEST.MIT.EDU
> .ucsc.edu = CATS.UCSC.EDU
>
> maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts
>in the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in
> the UCSC.EDU domain into the CATS.UCSC.EDU realm.
>ucbvax.berkeley.edu would be mapped by the default rules to the
>BERKELEY.EDUrealm,
> while sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
>"
>
>
>Also the question of trusts is really an issue with cpaths but there is
>also a compatibility issue betwean the AD Kerberos server and MIT's. its
>doable with Heimdal kerberos Servers but FreeIPA is not compatible with
>Heimdal
This is not correct. Starting with FreeIPA 3.0 we do support
cross-forest trusts with Active Directory.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list