3 files changed, 40 insertions, 13 deletions

diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 3bdbc9995..eda8ba6fe 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -22,7 +22,7 @@
 [domain_realm]
  .$DOMAIN = $REALM
  $DOMAIN = $REALM
-
+$OTHER_DOMAIN_REALM_MAPS
 [dbmodules]
   $REALM = {
     db_library = ipadb.so
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index ba8b7b5cc..ce3166122 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -395,7 +395,6 @@ class BindInstance(service.Service):
         self.domain = domain_name
         self.forwarders = forwarders
         self.host = fqdn.split(".")[0]
-        self.host_domain = '.'.join(fqdn.split(".")[1:])
         self.suffix = util.realm_to_suffix(self.realm)
         self.ntp = ntp
         self.reverse_zone = reverse_zone
@@ -409,6 +408,21 @@ class BindInstance(service.Service):
 
         self.__setup_sub_dict()
 
+    @property
+    def host_domain(self):
+        return '.'.join(self.fqdn.split(".")[1:])
+
+    @property
+    def host_in_rr(self):
+        # when a host is not in a default domain, it needs to be referred
+        # with FQDN and not in a domain-relative host name
+        if not self.host_in_default_domain():
+            return normalize_zone(self.fqdn)
+        return self.host
+
+    def host_in_default_domain(self):
+        return normalize_zone(self.host_domain) == normalize_zone(self.domain)
+
     def create_sample_bind_zone(self):
         bind_txt = ipautil.template_file(ipautil.SHARE_DIR + "bind.zone.db.template", self.sub_dict)
         [bind_fd, bind_name] = tempfile.mkstemp(".db","sample.zone.")
@@ -474,7 +488,7 @@ class BindInstance(service.Service):
 
         if self.ntp:
             optional_ntp =  "\n;ntp server\n"
-            optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host
+            optional_ntp += "_ntp._udp\t\tIN SRV 0 100 123\t%s""" % self.host_in_rr
         else:
             optional_ntp = ""
 
@@ -495,7 +509,7 @@ class BindInstance(service.Service):
         self._ldap_mod("dns.ldif", self.sub_dict)
 
     def __setup_zone(self):
-        if self.host_domain != self.domain:
+        if not self.host_in_default_domain():
             # add DNS domain for host first
             root_logger.debug("Host domain (%s) is different from DNS domain (%s)!" \
                     % (self.host_domain, self.domain))
@@ -512,14 +526,14 @@ class BindInstance(service.Service):
     def __add_self(self):
         zone = self.domain
         resource_records = (
-            ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host),
+            ("_ldap._tcp", "SRV", "0 100 389 %s" % self.host_in_rr),
             ("_kerberos", "TXT", self.realm),
-            ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host),
-            ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host),
-            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host),
-            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host),
-            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host),
-            ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host),
+            ("_kerberos._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos-master._tcp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kerberos-master._udp", "SRV", "0 100 88 %s" % self.host_in_rr),
+            ("_kpasswd._tcp", "SRV", "0 100 464 %s" % self.host_in_rr),
+            ("_kpasswd._udp", "SRV", "0 100 464 %s" % self.host_in_rr),
         )
 
         for (host, type, rdata) in resource_records:
@@ -528,10 +542,10 @@ class BindInstance(service.Service):
             else:
                 add_rr(zone, host, type, rdata)
         if self.ntp:
-            add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host)
+            add_rr(zone, "_ntp._udp", "SRV", "0 100 123 %s" % self.host_in_rr)
 
         # Add forward and reverse records to self
-        add_fwd_rr(zone, self.host, self.ip_address)
+        add_fwd_rr(self.host_domain, self.host, self.ip_address)
         if self.reverse_zone is not None and dns_zone_exists(self.reverse_zone):
             add_ptr_rr(self.reverse_zone, self.ip_address, self.fqdn)
 
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 02890ac96..f38ae9b42 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -233,6 +233,19 @@ class KrbInstance(service.Service):
                              SERVER_ID=dsinstance.realm_to_serverid(self.realm),
                              REALM=self.realm)
 
+        # IPA server/KDC is not a subdomain of default domain
+        # Proper domain-realm mapping needs to be specified
+        dr_map = ''
+        if not self.fqdn.endswith(self.domain):
+            root_logger.debug("IPA FQDN '%s' is not located in default domain '%s'" \
+                    % (self.fqdn, self.domain))
+            server_host, dot, server_domain = self.fqdn.partition('.')
+            root_logger.debug("Domain '%s' needs additional mapping in krb5.conf" \
+                    % server_domain)
+            dr_map = " .%(domain)s = %(realm)s\n %(domain)s = %(realm)s\n" \
+                        % dict(domain=server_domain, realm=self.realm)
+        self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+
     def __configure_sasl_mappings(self):
         # we need to remove any existing SASL mappings in the directory as otherwise they
         # they may conflict.