Hi,

Is there a correct way to setup a public/private design using IPA for
Kerberos?
I am currently implementing Kerberos for our Hadoop cluster.

For communication between nodes, I use RFC 1918 addresses
This works properly, but adds a complexity for FreeIPA.

Hosts have a public interface which they use for IPA.
Ex. host/iictyibmls003.nix.infrabel...@nix.infrabel.be (a 10.x.x.x IP)

For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
Hadoop uses DNS a lot.
(.local, in this case adapted to the location)
Ex,  iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2

The problem: Hadoop now wants to create Kerberos service princiapals for
the .local domain....
I have searched on the mailinglist and other resources, but I am not sure
what the proper 'IPA way' is.

Adding a principal alias does not work (as I expected) --> STDERR: ipa:
ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to
add a service to.
And if I try to add a host first, using correct DNS records (A and PTR) ,
this still results in

2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be - Failed to create
service principal for HTTP/
iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be
STDOUT:
STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not
have corresponding DNS A/AAAA record

Was there something about a (kadmin) override?

Thx a lot!
Pieter
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to