Thank you, that will help. I don't want to have to go down that road but it's looking more and more like I will have to.
On Tuesday, February 13, 2018 8:34 AM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote: >Fish the entries? Can you elaborate on that a bit more? >Since FreeIPA auto-builds txt records and what not for client >machines...How did you do that? Or did you not utilize that? When you install IPA master without integrated DNS server, IPA installer will generate you a sample DNS zone for own domain and put it into a temporary file in /tmp. The name of the file is displayed in the console output, it looks like /tmp/ipa.system.records.*.db You can re-generate the same file with the following sequence: - as root on IPA master run ipa -e in_server=True console this will open a special IPA console where you can use Python API directly. Note that this operation does not require Kerberos ticket and does not communicate with IPA framework; instead, it does directly talk to IPA LDAP over a local interface as a cn=Directory Manager, so be careful what you do there. - within the console, enter following (>>> indicates where to enter): >>> from ipaserver.install import bindinstance >>> bind = bindinstance.BindInstance(api=api) >>> bind.create_file_with_system_records() - exit console with ctrl-D You'd get something like this in your terminal: [root@master ~]# ipa -e in_server=True console (Custom IPA interactive Python console) >>> from ipaserver.install import bindinstance >>> bind = bindinstance.BindInstance(api=api) >>> bind.create_file_with_system_records() Please add records in this file to your DNS system: /tmp/ipa.system.records.c3fq4oa1.db >>> (pressed ctrl-D here) now exiting InteractiveConsole... [root@master ~]# cat /tmp/ipa.system.records.c3fq4oa1.db _kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 master.example.com. _kerberos.example.com. 86400 IN TXT "EXAMPLE.COM" _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 master.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 master.example.com. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com. _ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com. _ldap._tcp.example.com. 86400 IN SRV 0 100 389 master.example.com. _ntp._udp.example.com. 86400 IN SRV 0 100 123 master.example.com. ipa-ca.example.com. 86400 IN A SOME-IPv4-ADDRESS > > On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users ><freeipa-users@lists.fedorahosted.org> wrote: > > > You can, but you need to add the DNS entries that FreeIPA adds to its domain > to your DNS server. > >What I did was install FreeIPA in a test environment and fish the entries from >there. > >On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users ><freeipa-users@lists.fedorahosted.org> wrote: > >I know I have sent in multiple emails, but we are trying to deploy FreeIPA >correctly. However I am getting asked to find out some other details. >Can FreeIPA survive w/o DNS? We would like to implement FreeIPA and still be >able to use the SSH, sudo, selinux, LDAP & krb5. >We are moving to AWS and management is afraid that we will have to maintain >multiple sets of DNS. And that if FreeIPA is the focal point for all servers >and god for bid it crashes, there goes our whole environment. They would like >to put the zone in R53 and have that handle ALL the records. If we do go >through with not installing DNS w/ FreeIPA will we be shooting ourselves in >the foot? >I know that FreeIPA relies heavily on DNS and I have seen multiple >conversations regarding not to do this, but is this somewhere in the best >practices? >I found this thread from 2015 but I don't think it applies anymore:Re: >[Freeipa-users] Can freeIPA work without Kerberos and DNS > > >| >| | >Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS > | | > > | > > > >The problem is that we have 30 domains that we want to use in R53 and he wants >to bypass FreeIPA for doing DNS other than for auth and sudo and ldap. Could >we put entries in the /etc/hosts file to point to the FreeIPA servers? I feel >like this might work and might be more problematic down the line. >Regards,Andrew >______________________________ _________________ >FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org >To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org > > > > > >-- > ___ > {~._.~} ( Y ) > ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/ >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > >_______________________________________________ >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org -- / Alexander Bokovoy _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org