On ti, 26 tammi 2021, White, Daniel E. (GSFC-770.0)[NICS] wrote:
Many thanks, Alexander
The nature of the Beast I am dealing with is such that DNS is managed
from "Upstream" and not by the AD-DC or the IdM server(s)
It doesn't really matter who provides DNS zones as long as they are
resolvable by both AD and IdM. For dynamic DNS updates it would matter,
of course, but not for anything else. Normal DNS domain handling rules
apply here.
I was already using a variation of the SSH key authentication solution
from Dmitri's blog post. As long as IdM manages the public keys,
access control is maintained.
That's true.
______________________________________________________________________________________________
Daniel E. White
daniel.e.white@nasa.gov<mailto:daniel.e.white@nasa.gov>
NASCOM Linux Engineer
NASA Goddard Space Flight Center
Science Applications International Corporation (SAIC)
Office: (301) 286-6919
Mobile: (240) 513-5290
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Date: Tuesday, January 26, 2021 at 09:38
To: FreeIPA-Users <freeipa-users(a)lists.fedorahosted.org>
Cc: Daniel White <daniel.e.white(a)nasa.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] Questions about DNS client names in a FreeIPA /
Active Directory trust
On ti, 26 tammi 2021, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
OK, I know that the AD-DC and the IDM servers need matching Kerberos realm and DNS domain
names
Let's say AD.FOO.BAR.URP / IDM.FOO.BAR.URP for Kerberos and ad.foo.bar.urp /
idm.foo.bar.urp for DNS
I am using 4 labels to parallel the environment for which this is intended.
The DNS domain for the environment is foo.bar.urp and there is currently no FOO.BAR.URP
AD-DC, but we eventually expect one from "Upstream" and hope to make
AD.FOO.BAR.URP a Kerberos sub-realm/domain of it
AD.FOO.BAR.URP and ad.foo.bar.urp were created.
IDM.FOO.BAR.URP and idm.foo.bar.urp will be created shortly and connected by a
cross-forest trust. These, of course, will be sub-domains to
AD.FOO.BAR.URP/ad.foo.bar.urp
The confuzzlepation is about client domain names.
Do Linux clients need to use the idm.foo.bar.urp DNS domain or can they just use
foo.bar.urp ?
Same question for non-Linux clients -- ad.foo.bar.urp DNS domain or can they just use
foo.bar.urp ?
Few years ago Dmitri did create this blog:
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.red...
Please read it, it answers most of the questions. For technical details,
please also look at
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.fre...
And does the lack of the "parent" Kerberos realm/domain FOO.BAR.URP complicate
the matter ?
If you have AD forest deployed at ad.foo.bar.urp, who cares about
foo.bar.urp? ;)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland