On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
Hi,

Is there a correct way to setup a public/private design using IPA for
Kerberos?
I am currently implementing Kerberos for our Hadoop cluster.

For communication between nodes, I use RFC 1918 addresses
This works properly, but adds a complexity for FreeIPA.

Hosts have a public interface which they use for IPA.
Ex. host/iictyibmls003.nix.infrabel...@nix.infrabel.be (a 10.x.x.x IP)

For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
Hadoop uses DNS a lot.
(.local, in this case adapted to the location)
Ex,  iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2

The problem: Hadoop now wants to create Kerberos service princiapals for
the .local domain....
I have searched on the mailinglist and other resources, but I am not sure
what the proper 'IPA way' is.

Adding a principal alias does not work (as I expected) --> STDERR: ipa:
ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to
add a service to.
And if I try to add a host first, using correct DNS records (A and PTR) ,
this still results in

2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be - Failed to create
service principal for HTTP/
iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be
STDOUT:
STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not
have corresponding DNS A/AAAA record
Make sure DNS server used by IPA master is able to resolve these hosts.
IPA framework doesn't use /etc/hosts but rather asks DNS server to
resolve the hostnames. If it gets an error, it means your DNS setup
isn't valid. If you run DNS component of FreeIPA and actual DNS server
for the bdmzlocal zone is different, create a forwarder.

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to