[Freeipa-users] Two kerberos realms for same domainname?
Simo Sorce
simo at redhat.com
Thu May 9 12:50:49 UTC 2013
On Thu, 2013-05-09 at 09:03 +0000, Johnny Westerlund wrote:
> The "problem" i'm trying to solve is more of a design choice i guess.
> I would like to introduce RH Identity Management (IPA) since we need
> to handle authentication for *NIX machines.
> I guess i could integrate them towards Active Directory but i would
> rather enjoy all the benefits of running RH-IPA (HBAC/Sudo rules, and
> further down SELINUX integration) and able to use my current RH
> support contracts.
>
>
> The current infrastructure looks the following.
> Internal dns/KERBEROS domain handled by Microsoft active directory:
> company.internal at COMPANY.INTERNAL
> A second domain consisting of company.tld (this is a correct top level
> domain) but this domain exists both internal and external.
>
>
> So internall machines that CANT be reached from the outside world has
> either company.tld or company.internal hostnames. (all of the *nix
> machines has the domain company.tld allthough they are almost all
> internal machines)
> Kerberos authentication is working now for machines on the inside in
> both dns domains. This is handled by Active directory.
> I even have some *nix machines using AD kerberos realm for SSO of
> apache webservers, theese are all internal company.tld machines.
>
>
> So the question is how i would design the DNS structure to allow IPA
> and AD coexistance.
> I would like to avoid having to move all my current *nix machines out
> of company.tld (allthough this would be the most correct solution)
> Maybe i could have dual hostnames for all my *nix machines but the
> question is how much administrative overhead this would give. And i
> would like to "Keep It Simple"
>
>
> I understand that this might not be a question for this mailing
> list ;)
> I hope it doesnt rub anyone the wrong way.
It's a good question.
If you want to keep doing SSO from AD users you probably want to use a
trust between AD and IPA in the long term.
In order to do this the IPA infrastructure really needs to use a
different domain name or Windows machines will not be able to get
tickets as they will always try to hit the AD KDC that can't refer to
the IPA KDC for machines in the same domain/realm.
As a migration strategy what you can do is to slowly move machines by
putting CNAMEs in the AD DNS that point the old company.tld names to the
new ipa domain names. This allows a slow smooth transition one machine
at a time for those which you need to keep visible at the old address.
CNAMEs do the correct thing KErberos wise too, so clients will be able
to follow CNAME -> A name and then ask the correct Realm for the ticket.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list