infrastructure

Realm Domains

Manage DNS domains associated with the IPA realm. Realm domains define which DNS domains are considered part of the IPA realm for authentication purposes. Features include domain addition and removal, automatic DNS validation, and realm domain listing for controlling which domains participate in Kerberos authentication and service discovery.

2 commands
infrastructure

Manage the list of DNS domains associated with IPA realm.

This list is useful for Domain Controllers from other realms which have established trust with this IPA realm. They need the information to know which request should be forwarded to KDC of this IPA realm.

Automatic management: a domain is automatically added to the realm domains list when a new DNS Zone managed by IPA is created. Same applies for deletion.

Externally managed DNS: domains which are not managed in IPA server DNS need to be manually added to the list using ipa realmdomains-mod command.

EXAMPLES

Display the current list of realm domains:

ipa realmdomains-show

Replace the list of realm domains:

ipa realmdomains-mod --domain=example.com
ipa realmdomains-mod --domain={example1.com,example2.com,example3.com}

Add a domain to the list of realm domains:

ipa realmdomains-mod --add-domain=newdomain.com

Delete a domain from the list of realm domains:

ipa realmdomains-mod --del-domain=olddomain.com

Commands

realmdomains-mod

Usage: ipa [global-options] realmdomains-mod [options]

Modify realm domains

DNS check: When manually adding a domain to the list, a DNS check is
performed by default. It ensures that the domain is associated with
the IPA realm, by checking whether the domain has a _kerberos TXT record
containing the IPA realm name. This check can be skipped by specifying
--force option.

Removal: when a realm domain which has a matching DNS zone managed by
IPA is being removed, a corresponding _kerberos TXT record in the zone is
removed automatically as well. Other records in the zone or the zone
itself are not affected.

Options

OptionDescription
--domain DOMAINDomain
--add-domain ADD-DOMAINAdd domain
--del-domain DEL-DOMAINDelete domain
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--forceForce adding domain even if not in DNS
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

realmdomains-show

Usage: ipa [global-options] realmdomains-show [options]

Display the list of realm domains.

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

Use Cases

Configuring Trust with Active Directory

When establishing a trust with an Active Directory domain, the realm domains list must include all DNS domains that should be authenticated by the IPA KDC. Domain Controllers use this information to route authentication requests correctly.

# Display current realm domains
ipa realmdomains-show
  Domain: ipa.example.com

# Add AD domain and subdomains to realm domains list
ipa realmdomains-mod --add-domain=ad.corp.example.com
ipa realmdomains-mod --add-domain=eu.ad.corp.example.com
ipa realmdomains-mod --add-domain=us.ad.corp.example.com

# Verify realm domains configuration
ipa realmdomains-show
  Domain: ipa.example.com, ad.corp.example.com, eu.ad.corp.example.com, us.ad.corp.example.com

# AD Domain Controllers now know to forward authentication
# for these domains to the IPA KDC

Managing Multi-Site Deployments

Organizations with multiple geographic locations often use separate DNS domains for each site. All domains participating in the IPA realm must be listed in realm domains for proper Kerberos authentication routing.

# Add domain for European subsidiary
ipa realmdomains-mod --add-domain=europe.example.com

# Add domain for Asian subsidiary
ipa realmdomains-mod --add-domain=asia.example.com

# Add domain for North American subsidiary
ipa realmdomains-mod --add-domain=northamerica.example.com

# All three domains now participate in the IPA realm
# Users from europe.example.com can authenticate to services
# in asia.example.com using Kerberos SSO

Adding External DNS Domains Not Managed by IPA

When DNS zones are managed by external DNS servers (not IPA’s integrated DNS), domains must be manually added to the realm domains list. The DNS validation check ensures _kerberos TXT records exist.

# External DNS domain with proper _kerberos TXT record
# DNS administrator has created:
# _kerberos.external.example.com TXT "EXAMPLE.COM"

# Add external domain with DNS validation
ipa realmdomains-mod --add-domain=external.example.com
  _____________________________________________
  Modified realm domains
  _____________________________________________
  Domain: ipa.example.com, external.example.com
  _____________________________________________

# If _kerberos TXT record is missing or incorrect, command fails
# Use --force to bypass validation (not recommended for production)
ipa realmdomains-mod --add-domain=untrusted.example.com --force

Removing Deprecated Domains After Merger

After corporate mergers or reorganizations, old domains may need removal from the realm domains list to prevent authentication attempts to decommissioned infrastructure.

# List current realm domains
ipa realmdomains-show
  Domain: ipa.example.com, oldcorp.example.com, newcorp.example.com

# Remove acquired company's domain after migration complete
ipa realmdomains-mod --del-domain=oldcorp.example.com

# If the domain has a matching IPA-managed DNS zone,
# the _kerberos TXT record is automatically removed from the zone
# The zone itself remains intact with other records

Bulk Replacement of Realm Domains

During major infrastructure changes, replacing the entire realm domains list atomically ensures consistent configuration without incremental modifications.

# Display current realm domains
ipa realmdomains-show
  Domain: ipa.example.com, old1.example.com, old2.example.com

# Replace entire list with new domain set
ipa realmdomains-mod --domain={ipa.example.com,new1.example.com,new2.example.com,new3.example.com}

# All previous domains are removed, new set is active
ipa realmdomains-show
  Domain: ipa.example.com, new1.example.com, new2.example.com, new3.example.com

Synchronizing Realm Domains with DNS Zone Creation

When IPA’s integrated DNS creates a new zone, the domain is automatically added to realm domains. Manual verification ensures consistency.

# Create new DNS zone using IPA integrated DNS
ipa dnszone-add branch.example.com --name-server=ipa01.example.com. \
  --admin-email=hostmaster.example.com

# Verify domain was automatically added to realm domains
ipa realmdomains-show
  Domain: ipa.example.com, branch.example.com

# _kerberos TXT record automatically created in new zone
ipa dnsrecord-show branch.example.com _kerberos
  Record name: _kerberos
  TXT record: "EXAMPLE.COM"

Handling DNS Validation Failures

When adding domains to realm domains, DNS validation checks for _kerberos TXT records. Validation failures indicate DNS misconfiguration requiring resolution before trust establishment.

# Attempt to add domain without proper _kerberos TXT record
ipa realmdomains-mod --add-domain=notready.example.com
  ipa: ERROR: DNS check failed: _kerberos TXT record not found

# Coordinate with DNS administrators to create record
# External DNS: _kerberos.notready.example.com TXT "EXAMPLE.COM"

# Retry after DNS propagation (wait 5-15 minutes)
ipa realmdomains-mod --add-domain=notready.example.com
  Modified realm domains

# For emergency situations, bypass validation with --force
# WARNING: Bypassing validation can break trust authentication
ipa realmdomains-mod --add-domain=emergency.example.com --force

Auditing Realm Domain Configuration

Regular audits ensure realm domains configuration matches current organizational DNS structure and trust relationships.

# Display all realm domains
ipa realmdomains-show
  Domain: ipa.example.com, trusted1.example.com, trusted2.example.com

# For each domain, verify DNS configuration
for domain in $(ipa realmdomains-show --raw | grep associateddomain: | awk '{print $2}'); do
  echo "Checking $domain..."
  dig +short _kerberos.$domain TXT
done
  Checking ipa.example.com...
  "EXAMPLE.COM"
  Checking trusted1.example.com...
  "EXAMPLE.COM"
  Checking trusted2.example.com...
  "EXAMPLE.COM"

# All domains have correct _kerberos TXT records

Managing Realm Domains in Multi-Master Replication

Realm domains configuration is replicated across all IPA masters. Changes on any master propagate to all replicas, ensuring consistent authentication routing.

# Modify realm domains on any IPA master
ipa realmdomains-mod --add-domain=newdomain.example.com

# Wait for replication (typically seconds, up to minutes)
sleep 10

# Verify replication to other masters
for server in ipa01.example.com ipa02.example.com ipa03.example.com; do
  echo "Checking $server..."
  ipa -s $server realmdomains-show | grep newdomain.example.com
done
  Checking ipa01.example.com...
  Domain: [...] newdomain.example.com
  Checking ipa02.example.com...
  Domain: [...] newdomain.example.com
  Checking ipa03.example.com...
  Domain: [...] newdomain.example.com

Configuring Realm Domains for Cross-Forest Trusts

Cross-forest Active Directory trusts require careful realm domains configuration to ensure authentication requests route correctly between IPA and multiple AD forests.

# Establish trust with first AD forest
ipa trust-add ad-forest1.corp --type=ad --admin=Administrator --password

# Add all domains in first forest to realm domains
ipa realmdomains-mod --add-domain=ad-forest1.corp
ipa realmdomains-mod --add-domain=sub1.ad-forest1.corp
ipa realmdomains-mod --add-domain=sub2.ad-forest1.corp

# Establish trust with second AD forest
ipa trust-add ad-forest2.corp --type=ad --admin=Administrator --password

# Add all domains in second forest to realm domains
ipa realmdomains-mod --add-domain=ad-forest2.corp
ipa realmdomains-mod --add-domain=emea.ad-forest2.corp
ipa realmdomains-mod --add-domain=apac.ad-forest2.corp

# All six AD domains now route authentication to correct forest
# IPA users can access resources in both AD forests with SSO

Security Considerations

DNS validation bypass risks: Using --force to skip DNS validation can lead to authentication failures or security issues if _kerberos TXT records are missing or incorrect. Always create proper DNS records before adding domains to production realm domains lists.

Trust relationship integrity: Incorrect realm domains configuration breaks Active Directory trust authentication. Users from trusted domains cannot authenticate, and Domain Controllers cannot route requests correctly. Test realm domains changes in non-production environments first.

DNS spoofing attacks: If an attacker can control DNS responses for _kerberos TXT records, they can potentially redirect authentication traffic. Secure DNS with DNSSEC and restrict zone transfer permissions to prevent unauthorized DNS modifications.

Realm domains and Kerberos security: Realm domains list determines which DNS domains participate in Kerberos authentication. Adding untrusted domains to this list can expose the realm to cross-realm authentication attacks from compromised domains.

Replication timing windows: Realm domains changes replicate across IPA masters asynchronously. During replication, different masters have inconsistent realm domains lists, potentially causing intermittent authentication failures. Schedule changes during maintenance windows.

Automatic domain addition: IPA-managed DNS zones automatically add domains to realm domains. Unintended zone creation (typos, testing) can pollute the realm domains list. Review realm domains regularly and remove unintended entries.

Deletion safety: Removing active domains from realm domains breaks authentication for users in those domains. Coordinate with user communities before removal, and schedule deletions during maintenance windows with rollback plans.

_kerberos TXT record exposure: _kerberos TXT records publicly advertise Kerberos realm association, revealing infrastructure details to potential attackers. This is inherent to Kerberos cross-realm operation and cannot be avoided.

Cross-forest trust implications: In cross-forest AD trusts, realm domains configuration determines authentication routing. Incorrect configuration can route authentication to wrong forests, causing access denials or exposing credentials to unintended forest administrators.

Realm domains and DNS zones divergence: Realm domains list and IPA-managed DNS zones can diverge if domains are manually removed from realm domains but zones remain. This creates confusion and potential configuration errors. Keep realm domains synchronized with active DNS zones.

Insufficient DNS record validation: --force bypasses _kerberos TXT record validation but doesn’t verify domain ownership or authority. Attackers controlling DNS can add domains without actual administrative authority over those domains.

Audit trail gaps: Realm domains modifications are logged but changes to external DNS _kerberos TXT records (which enable realm domain authentication) are not. Monitor both IPA audit logs and external DNS change logs for complete visibility.

Troubleshooting

DNS Check Failed When Adding Domain

Symptom: ipa realmdomains-mod --add-domain=domain.example.com fails with “DNS check failed: _kerberos TXT record not found”.

Diagnosis: IPA cannot find the required _kerberos TXT record at _kerberos.domain.example.com.

Resolution: Create the _kerberos TXT record in DNS with the IPA realm name:

# For IPA-managed DNS zones
ipa dnsrecord-add domain.example.com _kerberos --txt-rec="EXAMPLE.COM"

# For external DNS, coordinate with DNS administrators
# Required record: _kerberos.domain.example.com TXT "EXAMPLE.COM"

# Verify DNS propagation
dig +short _kerberos.domain.example.com TXT

# Retry domain addition after DNS propagation (5-15 minutes)
ipa realmdomains-mod --add-domain=domain.example.com

Incorrect Realm Name in _kerberos TXT Record

Symptom: ipa realmdomains-mod --add-domain=domain.example.com fails with “DNS check failed: _kerberos TXT record contains wrong realm name”.

Diagnosis: The _kerberos TXT record exists but contains an incorrect realm name (e.g., “WRONG.COM” instead of “EXAMPLE.COM”).

Resolution: Correct the _kerberos TXT record to match the IPA realm name:

# Show current IPA realm name
ipa config-show | grep "IPA realm"
  IPA realm: EXAMPLE.COM

# For IPA-managed DNS, update the record
ipa dnsrecord-mod domain.example.com _kerberos --txt-rec="EXAMPLE.COM"

# Verify correction
dig +short _kerberos.domain.example.com TXT
  "EXAMPLE.COM"

# Retry domain addition
ipa realmdomains-mod --add-domain=domain.example.com

Cannot Remove Domain: Used by Active Trust

Symptom: ipa realmdomains-mod --del-domain=trusted.ad.corp fails with “Cannot remove domain: used by active trust”.

Diagnosis: The domain is associated with an Active Directory trust relationship and cannot be removed while the trust is active.

Resolution: Remove the trust first, then remove the domain:

# List active trusts
ipa trust-find

# Remove the trust using the domain
ipa trust-del trusted.ad.corp

# Now remove the domain from realm domains
ipa realmdomains-mod --del-domain=trusted.ad.corp

Realm Domains Change Not Replicating

Symptom: Realm domains modification on one IPA master doesn’t appear on other replicas after several minutes.

Diagnosis: Replication issues between IPA masters prevent realm domains configuration synchronization.

Resolution: Check replication status and force replication if necessary:

# Check replication agreements status
ipa-replica-manage list
ipa-replica-manage list-ruv

# Force replication from master with correct configuration
ipa-replica-manage re-initialize --from=ipa01.example.com

# Verify realm domains after replication
ipa realmdomains-show

Users from Trusted Domain Cannot Authenticate

Symptom: Users from ad.corp.example.com cannot authenticate to IPA-enrolled systems despite active trust.

Diagnosis: The ad.corp.example.com domain is not in the IPA realm domains list.

Resolution: Add the trusted AD domain to realm domains:

# Verify domain is missing from realm domains
ipa realmdomains-show | grep ad.corp.example.com

# Add the AD domain
ipa realmdomains-mod --add-domain=ad.corp.example.com

# Verify addition
ipa realmdomains-show
  Domain: ipa.example.com, ad.corp.example.com

# Test authentication from trusted domain
kinit user@AD.CORP.EXAMPLE.COM

Automatic Domain Addition Not Working

Symptom: Creating a new IPA-managed DNS zone doesn’t automatically add the domain to realm domains.

Diagnosis: Automatic domain addition failed due to _kerberos TXT record creation failure or replication issues.

Resolution: Manually add the domain and verify _kerberos TXT record:

# Create DNS zone
ipa dnszone-add newzone.example.com

# Manually add domain to realm domains
ipa realmdomains-mod --add-domain=newzone.example.com

# Verify _kerberos TXT record was created
ipa dnsrecord-show newzone.example.com _kerberos
  Record name: _kerberos
  TXT record: "EXAMPLE.COM"

# If missing, create it manually
ipa dnsrecord-add newzone.example.com _kerberos --txt-rec="EXAMPLE.COM"

Realm Domains List Shows Deleted DNS Zone

Symptom: ipa realmdomains-show displays a domain whose DNS zone was deleted from IPA.

Diagnosis: DNS zone deletion removes the zone but may not remove the domain from realm domains automatically.

Resolution: Manually remove the domain from realm domains:

# Verify DNS zone is deleted
ipa dnszone-find oldzone.example.com
  0 zones matched

# Remove domain from realm domains
ipa realmdomains-mod --del-domain=oldzone.example.com

# Verify removal
ipa realmdomains-show

DNS Validation Succeeds But Domain Still Not Working

Symptom: Domain added successfully to realm domains with DNS validation, but authentication from that domain fails.

Diagnosis: _kerberos TXT record exists but DNS resolution from client systems or Domain Controllers fails due to network/firewall issues.

Resolution: Verify DNS resolution from all relevant systems:

# From IPA server, test DNS resolution
dig +short _kerberos.problematic.example.com TXT

# From AD Domain Controller, test DNS resolution
# (on Windows DC)
nslookup -type=TXT _kerberos.problematic.example.com

# From IPA clients, test DNS resolution
dig +short _kerberos.problematic.example.com TXT

# If DNS resolution fails from some systems, check:
# - DNS forwarder configuration on IPA servers
# - Firewall rules blocking DNS queries
# - DNS zone delegation configuration

Force-Added Domain Causes Authentication Failures

Symptom: Domain added with --force (bypassing DNS validation) causes authentication failures for users in that domain.

Diagnosis: The _kerberos TXT record doesn’t exist or is incorrect, but --force bypassed validation.

Resolution: Create the missing _kerberos TXT record:

# Check current _kerberos TXT record
dig +short _kerberos.forced.example.com TXT
  (no output - record missing)

# Create the record
ipa dnsrecord-add forced.example.com _kerberos --txt-rec="EXAMPLE.COM"

# Verify DNS propagation
dig +short _kerberos.forced.example.com TXT
  "EXAMPLE.COM"

# Wait for DNS caching to expire (typically 5-15 minutes)
# Test authentication
kinit user@FORCED.EXAMPLE.COM

Realm Domains Modification Fails with Permission Denied

Symptom: ipa realmdomains-mod fails with “Insufficient access: Insufficient ‘write’ privilege”.

Diagnosis: User lacks administrative privileges to modify realm domains configuration.

Resolution: Ensure user has appropriate role (Domain Administrator or Configuration Administrator):

# Check user's roles
ipa user-show admin --all | grep -i role

# Grant Configuration Administrator role if needed
ipa role-add-member "Configuration Administrator" --users=adminuser

# Verify permission
ipa realmdomains-show --rights
  Attribute rights: [...] write: [...] realmdomains [...]

# Retry modification
ipa realmdomains-mod --add-domain=newdomain.example.com

Realm Domains Show Empty or Missing

Symptom: ipa realmdomains-show returns empty domain list or “not found” error.

Diagnosis: Realm domains configuration object is missing or corrupted in LDAP directory.

Resolution: Reinitialize realm domains configuration:

# Attempt to show realm domains
ipa realmdomains-show
  ipa: ERROR: realm domains not found

# Reinitialize by modifying with at least the base domain
ipa realmdomains-mod --domain=ipa.example.com

# Verify restoration
ipa realmdomains-show
  Domain: ipa.example.com

# Add additional domains as needed
ipa realmdomains-mod --add-domain=other.example.com

_kerberos TXT Record Not Removed After Domain Deletion

Symptom: After removing a domain from realm domains, the _kerberos TXT record still exists in the IPA-managed DNS zone.

Diagnosis: Automatic _kerberos TXT record removal only occurs for IPA-managed DNS zones when the domain exactly matches the zone name. Subdomains or external DNS zones are not affected.

Resolution: Manually remove the _kerberos TXT record if needed:

# Remove domain from realm domains
ipa realmdomains-mod --del-domain=subdomain.zone.example.com

# Check if _kerberos record still exists
ipa dnsrecord-show subdomain.zone.example.com _kerberos
  Record name: _kerberos
  TXT record: "EXAMPLE.COM"

# Manually remove the record
ipa dnsrecord-del subdomain.zone.example.com _kerberos --txt-rec="EXAMPLE.COM"

# Verify removal
ipa dnsrecord-show subdomain.zone.example.com _kerberos
  ipa: ERROR: _kerberos: DNS resource record not found

Realm Domains Configuration Conflicts After Split-Brain

Symptom: After network partition resolution, different IPA masters have conflicting realm domains configurations.

Diagnosis: Realm domains were modified on isolated masters during network partition, creating replication conflicts.

Resolution: Identify authoritative configuration and force replication:

# Check realm domains on each master
for server in ipa01.example.com ipa02.example.com ipa03.example.com; do
  echo "=== $server ==="
  ipa -s $server realmdomains-show
done

# Determine authoritative master (typically the one with most complete/recent config)
# Force replication from authoritative master
ipa-replica-manage re-initialize --from=ipa01.example.com

# Verify consistency after replication
ipa realmdomains-show

Bulk Domain Replacement Removes Wrong Domains

Symptom: After ipa realmdomains-mod --domain={list}, important domains are missing from realm domains.

Diagnosis: Bulk replacement with --domain replaces the entire list. If any domain is omitted from the list, it’s removed.

Resolution: Re-add missing domains incrementally:

# Check current realm domains
ipa realmdomains-show
  Domain: ipa.example.com, accidentally-kept.example.com

# Identify missing domains from backups or documentation
# Re-add missing domains individually
ipa realmdomains-mod --add-domain=missing1.example.com
ipa realmdomains-mod --add-domain=missing2.example.com
ipa realmdomains-mod --add-domain=missing3.example.com

# Verify complete list
ipa realmdomains-show
  Domain: ipa.example.com, accidentally-kept.example.com,
          missing1.example.com, missing2.example.com, missing3.example.com

Related Topics