I have an IPA installation with an AD trust from ipa.mydomain.at to ad.mydomain.at.
What is the Realm domains feature for? Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as an additional realm domain? Will Kerberos and AD trust (configured for ipa.mycomain.at) work for this domain?
Cheers, Ronald
On ti, 01 loka 2019, Ronald Wimmer via FreeIPA-users wrote:
I have an IPA installation with an AD trust from ipa.mydomain.at to ad.mydomain.at.
What is the Realm domains feature for? Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as an additional realm domain? Will Kerberos and AD trust (configured for ipa.mycomain.at) work for this domain?
Realm domains are for allowing IPA to tell to AD DCs when trust is established that when accessing services in these additional domains, authentication has to be routed through IPA.
It is for the cases when you have ipa.mydomain.at but need to add something.else as a domain to your realm. Trust topology then would include 'something.else' as a DNS domain that belongs to IPA domain and AD DCs will correctly recognize they need to issue cross-realm tickets when Windows machines would be asking for a Kerberos service tickets to, say, HTTP/www.something.else SPN.
For subdomains it is not needed to add an explicit realm domain because ipa.mydomain.at already covers routing to test.ipa.mydomain.at from the trust topology point of view.
freeipa-users@lists.fedorahosted.org