On Fri, 25 Oct 2013, david t. klein wrote:
The most straightforward and maintainable (from the point of view of sensible and obvious data) is to have two FreeIPA domains, each with Krb5 realm the same as its DNS domain, and then setup cross-realm Krb trusts.
Right now FreeIPA does not support trusts with another FreeIPA domain, only with an Active Directory forest. This means that while you would be able to set up cross-realm principals manually and authentication would work, identity for those trusted principals would not be established automatically upon logon to IPA clients in either domain.
One would need to make sure SSSD configuration on all machines where users from both realms would need to log-in includes definitions for both IPA domains and krb5.conf would include proper auth_to_local rules for both realms. It is doable, just additional amount of work on top of manual cross-realm trust account creation. In FreeIPA we don't place restrictions on DNS domains in the same IPA realm other than the fact that one of DNS domains for the realm should be equivalent to the realm name (example.com for EXAMPLE.COM) or otherwise cross-forest trust with Active Directory would not work -- Active Directory enforces "domain equal realm" rule and automatically searches for service records in the DNS domain named as realm. IPA machines (clients and servers) can be in whatever DNS domains they want, just that service records for IPA masters should be resolvable in the DNS domain named as realm (again, for AD trusts case, normal GNU/Linux operations do not require that due to domain-realm mapping set up at client enrollment already). In FreeIPA 3.2+ we handle these additional DNS domains through 'ipa realmdomains' CLI commands (hooked up into DNS management, so that each time new DNS domain is encountered, realmdomains list is updated, even if we do not handle it directly) and expose them to the trusted Active Directory domain so that name suffix routing is correctly set up for these additional DNS domains belonging to IPA namespace. However, as we don't yet have formal IPA-IPA trusted relationship, much of work for this case is not automated. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
