[Freeipa-users] Re: Split domain for IPA and internal machines

[Florence Blanc-Renaud via FreeIPA-users]

On 2/25/20 12:10 AM, Nicholas DeMarco via FreeIPA-users wrote:
I've configured FreeIPA servers in identity.demarcohome.com 
<http://identity.demarcohome.com>, and my internal machines are in 
int.demarcohome.com <http://int.demarcohome.com>.

I added discovery SRV records to the int.demarcohome.com 
<http://int.demarcohome.com>:
_kerberos TXT "IDENTITY.demarcohome.COM <http://IDENTITY.demarcohome.COM>"
_kerberos-master._tcp SRV 0 100 88 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.
_kerberos-master._udp SRV 0 100 88 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.
_kerberos._tcp SRV 0 100 88 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.
_kerberos._udp SRV 0 100 88 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.
_kpasswd._udp SRV 0 100 464 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.
_ldap._tcp SRV 0 100 389 ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>.

When configuring a client, a few things didn't go well:
2020-02-24T22:51:21Z DEBUG args=['/usr/bin/getent', 'passwd', 
'ndema...@int.demarcohome.com <mailto:ndema...@int.demarcohome.com>']
Hi,
from the above line I assume that ipa-client-install is run with the 
principal "ndemarco" instead of the usual admin user. This should work 
but it looks like the principal is resolved as 
ndema...@int.demarcohome.com instead of ndema...@identity.demarcohome.com.
Could you try with the full principal name:
ipa-client-install [...] --principal ndema...@identity.demarcohome.com ?

flo

2020-02-24T22:51:21Z DEBUG Process finished, return code=2

Also some unexpected [Try 1] blocks in the error log like:
DEBUG Try RPC connection
INFO [try 1]: Forwarding 'ping' to json server 
'https://ipa1.identity.demarcohome.com/ipa/session/json'
DEBUG New HTTP connection (ipa1.identity.demarcohome.com 
<http://ipa1.identity.demarcohome.com>)

My DNS is probably not set up properly yet, but I'm properly worn out 
for the day on this.

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org