On ti, 11 heinä 2017, Pieter Baele wrote:
Hi Alexander,

That what bothered me. All DNS zones are on IPA. So why the error....

Forwarding is only for other domains and the private 172.x addresses are
only necessary on the IPA joined hosts.

(However, what they call a multi-homed network design in Hadoop also
complicates other things considerably out of a management perspective
so probably I can't easily separate what may be kept internal and the
client communication this way, so I will need to use a design with one
network anyway)
Check named logs to see whether there are issues with those queries.
Check with 'dig' on IPA master that it is indeed capable to resolve
hostnames from that zone.



thx
--
Pieter





On Tue, Jul 11, 2017 at 8:38 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:

On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
>Hi,
>
>Is there a correct way to setup a public/private design using IPA for
>Kerberos?
>I am currently implementing Kerberos for our Hadoop cluster.
>
>For communication between nodes, I use RFC 1918 addresses
>This works properly, but adds a complexity for FreeIPA.
>
>Hosts have a public interface which they use for IPA.
>Ex. host/iictyibmls003.nix.infrabel...@nix.infrabel.be (a 10.x.x.x IP)
>
>For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
>Hadoop uses DNS a lot.
>(.local, in this case adapted to the location)
>Ex,  iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
>
>The problem: Hadoop now wants to create Kerberos service princiapals for
>the .local domain....
>I have searched on the mailinglist and other resources, but I am not sure
>what the proper 'IPA way' is.
>
>Adding a principal alias does not work (as I expected) --> STDERR: ipa:
>ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist
to
>add a service to.
>And if I try to add a host first, using correct DNS records (A and PTR) ,
>this still results in
>
>2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
>iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be - Failed to
create
>service principal for HTTP/
>iictyibcls002.nix.infrabel.be.bdmzlo...@nix.infrabel.be
>STDOUT:
>STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does
not
>have corresponding DNS A/AAAA record
Make sure DNS server used by IPA master is able to resolve these hosts.
IPA framework doesn't use /etc/hosts but rather asks DNS server to
resolve the hostnames. If it gets an error, it means your DNS setup
isn't valid. If you run DNS component of FreeIPA and actual DNS server
for the bdmzlocal zone is different, create a forwarder.

--
/ Alexander Bokovoy


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to