Oh, thank you - well for the first Problem that sssd was not working.
Its solved the way that logging into Text TTY showed to change the
password - which seemed not to work on SDDM login (SDDM hung). After
changing the Password i was sucessfully able to login getting kerberos
tickets - great and thank you all, so i know it would work basically.
To the other aspects: Seems that i do not understand how to setup
hostname+domainname+dns the right way for me.
Maybe you can give practical advise, than i will setup freeipa from
scratch. My constellation is:
example.com is a hosted domain that is ours, having its own dns server
and some website at our hoster.
Freeipa will be some individual host, maybe ipa.example.com at another
fixed ip4 (they dont have ipv6). This host is a linux- rootless docker.
I could also be something else at *.example.com.
My hope was, that giving clients.ipa.example.com a space for all hosts
and users in FreeIPA Domain for not messing with the dns at example.com,
which dns zone i can only edit manually.
So what would be the right setup to not mix ipa-dns and hosted dns?
Yust avoid setting domain at ipa-server-install and use hostname
ipa.example.com + domain example.com?
Or maybe use ipa.clients.example.com as hostname and domainname
clients.example.com?
Sorry for asking, but i did not get the right setup with that
constellation even after reading the docs and the explanations while i
get confused with our hosters setup.
btw. i set DNS at my hoster like "ipa dns-update-system-records
--dry-run" told me, that s ok - but i cannot add every new installed
client there especially if the clients ips will change randomly. Would
this work to have Freeipa dns at ipa.example.com?
--
Mit freundlichen Grüßen
Daniel Pätzold
Konsulent
M+49 151 51705386
[email protected]
Penta Energy GmbH, Wildganssteig 32a, 13503 Berlin
HRB Nr. 228730 B | Geschäftsführer: Dr. Stefan Reuter
Am 12.09.24 um 12:56 schrieb Alexander Bokovoy:
On Чцв, 12 вер 2024, Daniel Pätzold via FreeIPA-users wrote:
Hi, i am using docker image freeipa/freeipa-server:almalinux-9
and did use docker-compose.yml:
...
hostname: ipa.example.com
environment:
IPA_SERVER_HOSTNAME: ipa.example.com
TZ: "Europe/Berlin"
PASSWORD: 'XXX'
# DEBUG_NO_EXIT: 1
command:
- -U
- --domain=clients.ipa.example.com
# Must match the last part of the Domain-Name and must be upper case and
routed to the domain
- --realm=EXAMPLE.COM
This is a mistake: you should keep the realm and the primary domain the
same. Do not make deviate from this rule.
Another mistake is that you are trying to use a IPA server hostname
equal to the domain name: ipa.example.com while clearly there is going
to be a domain clients.ipa.example.com, so ipa.example.com is a domain
zone.
IPA server installer derives --domain from hostname's if unspecified
(.e.g ipa.example.com -> domain.com -> base DN will be
dc=example,dc=com). It also prevents having a hostname equal to the DNS
domain.
But if --domain was specified, it will use that value to generate base DN
(dc=clients,dc=ipa,dc=example,dc=com). The problem is that all the rest
of the code expects realm be equal to primary domain and thus base DN be
dc=example,dc=com.
If you want to deploy in clients.ipa.example.com but still use
EXAMPLE.COM, don't specify --domain other than example.com. Create
initial server in a DNS zone that is accessible prior to installation or
will be directly created during installation if installing with
integrated DNS. Make sure that the DNS domain which is equal to the one
of Kerberos realm is owned by you (or created by the integrated DNS).
Integrated DNS case (--setup-dns) is important to understand because you
are deploying DNS zone for --domain value here. IPA installer will not
create any other DNS zone inside this new DNS zone and it will not
create a DNS zone for the hostname of IPA server if it is outside of the
primary DNS domain as well. DNS zone equal to Kerberos realm must have
corresponding DNS records pointing to IPA servers. If not using
integrated DNS, a sample zone file will be generated.
In general:
- DNS zones will have to exist prior to deployment or expected to be
created during the deployment. However, only DNS zone for
the primary domain will be created by IPA installer. (Reverse zones
are a different story but it is not relevant here).
- There is a direct relationship between primary domain (specified with
--domain), Kerberos realm (--realm), and LDAP base DN. Primary IPA
domain must always be equal to IPA Kerberos realm. DNS zone for the
primary domain must be owned by IPA deployment in a sense that no
other Kerberos realm would be using it and DNS records for IPA
Kerberos realm should be present in it.
- if you want to deploy IPA clients outside of the primary IPA DNS
domain, it is enough to specify --domain <primary IPA domain> to
allow autodiscovery, regardless of the DNS domain used. Man page for
ipa-client-install has a lot of details about that.
- if you want to deploy IPA replicas outside of the primary IPA DNS
domain, make sure to use proper --domain for the primary domain, not
your DNS domain of the replica.
Most of these details are already described at
https://www.freeipa.org/page/Deployment_Recommendations
- --http-pin=XXX
- --dirsrv-pin=XXX
- --setup-dns
# - --no-host-dns
# Both passwords will be taken from env PASSWORD:
# - --ds-password=SOMEThinK
# - --admin-password=SOMEThinK
#NTP - not needed, this is the server which time is taken from
/etc/localtime see volumes
#This server has also a chrony-daemon running here to sync time
- --no-ntp
# - --ntp-server=172.0.0.11
- --auto-forwarders
# - --forwarder=192.168.178.1
#Error: Unable to determine the amount of available RAM
- --skip-mem-check
...
where ipa-server-install is called with arguments of "command:"
The DNS is set up right :
DNS Resource Records: clients.ipa.example.com.
...
The service is setup to be on hostname: Service:
DNS/[email protected]
But for LDAP i cannot see ressources, only the service in freeipa:
Service: ldap/[email protected]
Using an Browser (jxplorer) to access LDAP, connecting to
cn=etc,dc=clients,dc=ipa,dc=example,dc=com i can see a "changelog"
directly after connecting
cn changelog
objectClass nsContainer
objectClass top
changeNumber 45
changeTime 20240911092231Z
changeType modify
objectClass changelogentry
objectClass extensibleObject
objectClass top
targetDn idnsname=clients.ipa.example.com.,cn=dns,dc=example,dc=com
changes (non string data)
targetuniqueid 64af5c10xxx
Don't know what that means, but it seems like it redirects to
cn=etc,dc=example,dc=com, as the directory list is showing
dc=example,dc=com only.
in cmd ldapsearch still, i cannot query
cn=etc,dc=clients,dc=ipa,dc=example,dc=com...
Is that a feature of LDAP/389ds ? Maybe leading to ipa-server-install
use dc=example,dc=com and setting up "change top", but SSSD/ldapsearch
cannot use it? or is it a bug in ipa-server-setup?
Is there a way to change basedn for ldap after installation?
--
Mit freundlichen Grüßen
Daniel Pätzold
Konsulent
M+49 151 51705386
[email protected]
Penta Energy GmbH, Wildganssteig 32a, 13503 Berlin
HRB Nr. 228730 B | Geschäftsführer: Dr. Stefan Reuter
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
