#3544 [RFE] Integrate realmdomains-* commands with IPA DNS
Closed: Fixed None Opened 10 years ago by pspacek.

Realmdomain commands should add/delete SRV and TXT records as part of adding/deleting a realm. Optional parameter like --ignore-dns can be used to skip modification of DNS database.


It is actually the other way around -- when adding zone managed by IPA, add realmdomains entry for it.

When AD trust is established, upon validation AD DC is capable to fetch information about trusted forest configuration, including additional name suffixes to use when creating routing to trusted domain (us). This gives an opportunity to make multiple DNS domain configurations supported in AD trust.

When AD DC knows about these additional DNS domains, it is capable to properly ask our KDCs for tickets for services in those domains and trust them via our trust.

This is how it looks from Windows side: http://abbra.fedorapeople.org/.paste/win2012-multiple-suffixes.png, and for the domains that Windows manages as a DNS server, it exposes the same list via the same SMB interface.

So from our side it means we need to hook into 'ipa dnszone-add' and 'ipa dnszone-del' to call 'ipa realmdomains-mod' for non-forwarded zones. I think we need to ignore any error when removing the domain from 'ipa realmdomains-mod --delete' because the domain in question might not be in the list of realm's domains by admin's intention.

Please also note that realmdomains information will also be used by SSSD to fetch and configure mapping between DNS domains and realms within IPA.

Another note: We should add _kerberos TXT record for IPA-managed zones during dnszone-add and realmdomains-add.

We can't expect that all clients have SSSD or Windows with AD trust. "Legacy" Kerberos clients can use this record for domain->realm mapping. This TXT record helps to avoid manual configuration of domain->realm mapping (in certain cases).

Metadata Update from @pspacek:
- Issue assigned to akrivoka
- Issue set to the milestone: FreeIPA 3.2 - 2013/04 (Beta)

7 years ago

Login to comment on this ticket.

Metadata