On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote: > Hi Alexander, > > You're correct, turns out I wasn't using the correct domain for the > --domain parameter. I thought I was. Here's the command I used. > > ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomedir > --domain=ipa.ad.com --realm=IPA.AD.COM --no-ntp --debug > > All of my client hostname are set as "hostname.domain.ad.com", I didn't > know that in itself that was enough of a requirement to join them to > FreeIPA. Of course, given that the domain is also present in freeipa and > the AD trust has been established AFTER the domain was added to freeipa. > > I haven't tested yet without the realm parameter. It is possible that I > don't need --domain nor --realm parameters ? Does that require the creation > of *_ldap._tcp.* srv records in domain.ad.com dns zone? > > Taken from the man page: > > *When the client machine hostname is not in a subdomain of an IPA server, > its domain can be passed with --domain > <https://www.mankier.com/1/ipa-client-install#--domain> option. In that > case, both SSSD and Kerberos components have the domain set in the > configuration files and will use it to autodiscover IPA servers.* > > That line miss directed me, not sure if that's my interpretation. > Documentation could benefit from being clearer and having examples.
Since you had to deal with this kind of setup from a user perspective, would you mind proposing a better wording? > > Setting krb5_auth_timeout to 120 seconds is also required in my environment > as we're dealing with AD DC spreaded all over the globe. To make kerberos > negotiation faster, I assume I could specify my AD.COM realm in > /etc/krb5.conf with my local site AD DC ? Yes, currently this is needed. Using the 'site affinity' on the clients is on the roadmap, but not implemented yet. _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org