Hi Alexander,

That what bothered me. All DNS zones are on IPA. So why the error....

Forwarding is only for other domains and the private 172.x addresses are
only necessary on the IPA joined hosts.

(However, what they call a multi-homed network design in Hadoop also
complicates other things considerably out of a management perspective
so probably I can't easily separate what may be kept internal and the
client communication this way, so I will need to use a design with one
network anyway)

thx
--
Pieter





On Tue, Jul 11, 2017 at 8:38 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
> >Hi,
> >
> >Is there a correct way to setup a public/private design using IPA for
> >Kerberos?
> >I am currently implementing Kerberos for our Hadoop cluster.
> >
> >For communication between nodes, I use RFC 1918 addresses
> >This works properly, but adds a complexity for FreeIPA.
> >
> >Hosts have a public interface which they use for IPA.
> >Ex. host/iictyibmls003.nix.infrabel...@nix.infrabel.be (a 10.x.x.x IP)
> >
> >For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
> >Hadoop uses DNS a lot.
> >(.local, in this case adapted to the location)
> >Ex,  iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
> >
> >The problem: Hadoop now wants to create Kerberos service princiapals for
> >the .local domain....
> >I have searched on the mailinglist and other resources, but I am not sure
> >what the proper 'IPA way' is.
> >
> >Adding a principal alias does not work (as I expected) --> STDERR: ipa:
> >ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist
> to
> >add a service to.
> >And if I try to add a host first, using correct DNS records (A and PTR) ,
> >this still results in
> >
> >2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
> >iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be - Failed to
> create
> >service principal for HTTP/
> >iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be
> >STDOUT:
> >STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does
> not
> >have corresponding DNS A/AAAA record
> Make sure DNS server used by IPA master is able to resolve these hosts.
> IPA framework doesn't use /etc/hosts but rather asks DNS server to
> resolve the hostnames. If it gets an error, it means your DNS setup
> isn't valid. If you run DNS component of FreeIPA and actual DNS server
> for the bdmzlocal zone is different, create a forwarder.
>
> --
> / Alexander Bokovoy
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to