Thank you, that will help. I don't want to have to go down that road but it's
looking more and more like I will have to.
On Tuesday, February 13, 2018 8:34 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote:
>Fish the entries? Can you elaborate on that a bit more?
>Since FreeIPA auto-builds txt records and what not for client
>machines...How did you do that? Or did you not utilize that?
When you install IPA master without integrated DNS server, IPA installer
will generate you a sample DNS zone for own domain and put it into a
temporary file in /tmp. The name of the file is displayed in the console
output, it looks like /tmp/ipa.system.records.*.db
You can re-generate the same file with the following sequence:
- as root on IPA master run
ipa -e in_server=True console
this will open a special IPA console where you can use Python API
directly. Note that this operation does not require Kerberos ticket
and does not communicate with IPA framework; instead, it does directly
talk to IPA LDAP over a local interface as a cn=Directory Manager, so
be careful what you do there.
- within the console, enter following (>>> indicates where to enter):
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()
- exit console with ctrl-D
You'd get something like this in your terminal:
[root@master ~]# ipa -e in_server=True console
(Custom IPA interactive Python console)
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()
Please add records in this file to your DNS system:
/tmp/ipa.system.records.c3fq4oa1.db
>>> (pressed ctrl-D here)
now exiting InteractiveConsole...
[root@master ~]# cat /tmp/ipa.system.records.c3fq4oa1.db
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN
SRV 0 100 88 master.example.com.
_kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN
SRV 0 100 88 master.example.com.
_kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos.example.com. 86400 IN TXT "EXAMPLE.COM"
_kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_kpasswd._udp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0
100 389 master.example.com.
_ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ntp._udp.example.com. 86400 IN SRV 0 100 123 master.example.com.
ipa-ca.example.com. 86400 IN A SOME-IPv4-ADDRESS
>
> On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users
><freeipa-users@lists.fedorahosted.org> wrote:
>
>
> You can, but you need to add the DNS entries that FreeIPA adds to its domain
> to your DNS server.
>
>What I did was install FreeIPA in a test environment and fish the entries from
>there.
>
>On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users
><freeipa-users@lists.fedorahosted.org> wrote:
>
>I know I have sent in multiple emails, but we are trying to deploy FreeIPA
>correctly. However I am getting asked to find out some other details.
>Can FreeIPA survive w/o DNS? We would like to implement FreeIPA and still be
>able to use the SSH, sudo, selinux, LDAP & krb5.
>We are moving to AWS and management is afraid that we will have to maintain
>multiple sets of DNS. And that if FreeIPA is the focal point for all servers
>and god for bid it crashes, there goes our whole environment. They would like
>to put the zone in R53 and have that handle ALL the records. If we do go
>through with not installing DNS w/ FreeIPA will we be shooting ourselves in
>the foot?
>I know that FreeIPA relies heavily on DNS and I have seen multiple
>conversations regarding not to do this, but is this somewhere in the best
>practices?
>I found this thread from 2015 but I don't think it applies anymore:Re:
>[Freeipa-users] Can freeIPA work without Kerberos and DNS
>
>
>|
>| |
>Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
> | |
>
> |
>
>
>
>The problem is that we have 30 domains that we want to use in R53 and he wants
>to bypass FreeIPA for doing DNS other than for auth and sudo and ldap. Could
>we put entries in the /etc/hosts file to point to the FreeIPA servers? I feel
>like this might work and might be more problematic down the line.
>Regards,Andrew
>______________________________ _________________
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
>
>
>
>
>
>--
> ___
> {~._.~} ( Y )
> ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
>
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
