What is your authoritative DNS?  MS AD?  Are you manually populating the 
records?  My boss wants to eliminate DNS from this equation because he thinks 
we will have to maintain another set of DNS servers.  If FreeIPA is only 
authoritative for its own zone and managing servers within the zone, then we 
should have no issues.  We will need to put forwarders in to talk to Route53.  
But I don't see that as an issue.

    On Tuesday, February 13, 2018 8:25 AM, Andrew Radygin <randr...@gmail.com> 
wrote:
 

 I'm running FreeIPA 4.5 server with several hundred hosts and dozens of users. 
And it's perfectly fine, especially if you already have another instrument for 
dns managing.
I haven't experienced any problems from such setup so far.

2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org>:

Fish the entries?  Can you elaborate on that a bit more?
Since FreeIPA auto-builds txt records and what not for client machines...How 
did you do that?
Or did you not utilize that? 

    On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users 
<freeipa-users@lists. fedorahosted.org> wrote:
 

 You can, but you need to add the DNS entries that FreeIPA adds to its domain 
to your DNS server.

What I did was install FreeIPA in a test environment and fish the entries from 
there.

On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists. fedorahosted.org> wrote:

I know I have sent in multiple emails, but we are trying to deploy FreeIPA 
correctly.  However I am getting asked to find out some other details.  
Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be 
able to use the SSH, sudo, selinux, LDAP & krb5.  
We are moving to AWS and management is afraid that we will have to maintain 
multiple sets of DNS.  And that if FreeIPA is the focal point for all servers 
and god for bid it crashes, there goes our whole environment.  They would like 
to put the zone in R53 and have that handle ALL the records.  If we do go 
through with not installing DNS w/ FreeIPA will we be shooting ourselves in the 
foot?  
I know that FreeIPA relies heavily on DNS and I have seen multiple 
conversations regarding not to do this, but is this somewhere in the best 
practices?
I found this thread from 2015 but I don't think it applies anymore:Re: 
[Freeipa-users] Can freeIPA work without Kerberos and DNS

  
|  
|   |  
Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
   |  |

  |

 

The problem is that we have 30 domains that we want to use in R53 and he wants 
to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could 
we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel 
like this might work and might be more problematic down the line.
Regards,Andrew
______________________________ _________________
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





-- 
   ___
 {~._.~}  ( Y )
 ()~*~()  mail: alex at corcoles dot net (_)-(_)  http://alex.corcoles.net/
______________________________ _________________
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org


   
______________________________ _________________
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org





-- 
Best regards, Andrew.

   
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to