On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote:
> Hi Alexander,
> You're correct, turns out I wasn't using the correct domain for the
> --domain parameter. I thought I was. Here's the command I used.
> ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomedir
>  --domain=ipa.ad.com --realm=IPA.AD.COM --no-ntp --debug
> All of my client hostname are set as "hostname.domain.ad.com", I didn't
>  know that in itself that was enough of a requirement to join them to
> FreeIPA. Of course, given that the domain is also present in freeipa and
> the AD trust has been established AFTER the domain was added to freeipa.
> I haven't tested yet without the realm parameter. It is possible that I
> don't need --domain nor --realm parameters ? Does that require the creation
> of *_ldap._tcp.* srv records in domain.ad.com dns zone?
> Taken from the man page:
> *When the client machine hostname is not in a subdomain of an IPA server,
> its domain can be passed with --domain
> <https://www.mankier.com/1/ipa-client-install#--domain> option. In that
> case, both SSSD and Kerberos components have the domain set in the
> configuration files and will use it to autodiscover IPA servers.*
> That line miss directed me, not sure if that's my interpretation.
> Documentation could benefit from being clearer and having examples.

Since you had to deal with this kind of setup from a user perspective,
would you mind proposing a better wording?

> Setting krb5_auth_timeout to 120 seconds is also required in my environment
> as we're dealing with AD DC spreaded all over the globe. To make kerberos
> negotiation faster, I assume I could specify my AD.COM realm in
> /etc/krb5.conf with my local site AD DC ?

Yes, currently this is needed. Using the 'site affinity' on the clients
is on the roadmap, but not implemented yet.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to