On pe, 15 syys 2017, Wanderley Teixeira via FreeIPA-users wrote:
I am running into an issue with FreeIPA and DNS. Perhaps, you guys could
point me to a better realm/domain solution.

- I run a private DNS zone on AWS, called "int.example.com" (with ptr and
srv, etc)
- I have 3 master-master-master IPAs called ipa1, ipa2, and ip3
- Realm is EXAMPLE.COM
- Domain is example.com
- example.com records are hosted in a different service (i.e. hover or

When I try to install a client I get:

Discovery was successful!
Client hostname: ipaclient.int.example.com
DNS Domain: example.com
IPA Server: ipa2.int.example.com
BaseDN: dc=example,dc=com
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa2.int.example.com/ipa/json
Traceback (most recent call last):
 File "/sbin/ipa-client-install", line 3128, in <module>
 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in
   raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639066): Cannot find
KDC for realm “EXAMPLE.COM"

Any idea how I can overcome this issue?
Add SRV records _kerberos._tcp.example.com, _kerberos._udp.example.com
in the external DNS to point to your servers in int.example.com.

I would like my LDAP basedn to be dc=example,dc=com. I don't want it to
take the value of dc=int,dc=example,dc=com if I used private domain
int.example.com instead of example.com

I was thinking of using a private zone just example.com instead of
int.example.com but I will have issues since my TLD is on an external
service (i.e. hover.com). In this case, I wouldn't be able to resolve
test.example.com within the private zone since AWS Route53 wouldn't resolve
outside the zone. I would need to install a DNS forwarder somewhere else
and I don't want to manage it.
Your clients will be resolving whatever records DNS server return.
External or internal does not matter, since DNS server does not resolve
those records for you, it just returns their content.

I can manually install the client and specify the domain and realm fine but
I am unable to use DNS _srv_ for failover if ipa1 goes down, for example.
Clients are unable to login with a similar KDC error. And even installing
is causing issues as the output show "Cannot find KDC for realm..."
The "cannot find KDC for realm" comes from the fact that it cannot
resolve those SRV records from example.com DNS domain because it
couldn't find any other way to find KDCs. Since this is happening at
install time, you cannot use krb5.conf's means to map DNS domains to
realms and say how to discover KDCs.

So just add required DNS SRV records. You can get a proper list of them

 ipa dns-update-system-records --dry-run

this will show you full list of system records IPA expects to exist. It
is a command that exists in FreeIPA 4.4+, I think.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to