On Аўт, 13 мая 2025, Gareth Blades via FreeIPA-users wrote:
We have a multi location internal setup with our own internal DNS
setup. These DNS servers are setup with zone transfers from a central
location and various customer entries with dns views configured so we
have to keep these dns servers as the primary ones used by all servers
but we can add extra records or forwarders etc... if required.
Initially I thought I would setup the DNS records manually for each
location so that a simple 'ipa-client-install' command would use the
dns domain and configure everything.
This is my dns config :-
rsnfreeipa01a IN A 192.168.233.66
rsnfreeipa01b IN A 192.168.233.67
_kerberos-master._tcp IN SRV 0 100 88 rsnfreeipa01a.redstation.xyz.net.
_kerberos-master._tcp IN SRV 0 100 88 rsnfreeipa01b.redstation.xyz.net.
_kerberos-master._udp IN SRV 0 100 88
rsnfreeipa01a.redstation.xyz.net.
_kerberos-master._udp IN SRV 0 100 88
rsnfreeipa01b.redstation.xyz.net.
_kerberos._tcp IN SRV 0 100 88
rsnfreeipa01a.redstation.xyz.net.
_kerberos._tcp IN SRV 0 100 88
rsnfreeipa01b.redstation.xyz.net.
_kerberos._udp IN SRV 0 100 88
rsnfreeipa01a.redstation.xyz.net.
_kerberos._udp IN SRV 0 100 88
rsnfreeipa01b.redstation.xyz.net.
_kerberos IN TXT
"XYZ.NET"
_kerberos IN URI 0 100
"krb5srv:m:tcp:rsnfreeipa01a.redstation.xyz.net."
_kerberos IN URI 0 100
"krb5srv:m:tcp:rsnfreeipa01b.redstation.xyz.net."
_kerberos IN URI 0 100
"krb5srv:m:udp:rsnfreeipa01a.redstation.xyz.net."
_kerberos IN URI 0 100
"krb5srv:m:udp:rsnfreeipa01b.redstation.xyz.net."
_kpasswd._tcp IN SRV 0 100 464
rsnfreeipa01a.redstation.xyz.net.
_kpasswd._tcp IN SRV 0 100 464
rsnfreeipa01b.redstation.xyz.net.
_kpasswd._udp IN SRV 0 100 464
rsnfreeipa01a.redstation.xyz.net.
_kpasswd._udp IN SRV 0 100 464
rsnfreeipa01b.redstation.xyz.net.
_kpasswd IN URI 0 100
"krb5srv:m:tcp:rsnfreeipa01a.redstation.xyz.net."
_kpasswd IN URI 0 100
"krb5srv:m:tcp:rsnfreeipa01b.redstation.xyz.net."
_kpasswd IN URI 0 100
"krb5srv:m:udp:rsnfreeipa01a.redstation.xyz.net."
_kpasswd IN URI 0 100
"krb5srv:m:udp:rsnfreeipa01b.redstation.xyz.net."
_ldap._tcp IN SRV 0
100 389 rsnfreeipa01a.redstation.xyz.net.
_ldap._tcp IN SRV 0
100 389 rsnfreeipa01b.redstation.xyz.net.
ipa-ca IN A
192.168.233.66
ipa-ca IN A
192.168.233.67
I have two main issues with this approach :-
1
The ipa-client-install seems to work but I get this error at the end :-
Enrolled in IPA realm XYZ.NET
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm XYZ.NET
Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor
(2529639066): Cannot find KDC for realm "XYZ.NET"
The ipa-client-install command failed. See /var/log/ipaclient-install.log for
more information
Running tcpdump during this process I see entries like "SRV?
_kerberos._udp.XYZ.NET"
What is wrong here?
If the lookup is always using the realm name at this point I can't see
how it can possibly use the defined location without the use of dns
views to return different results depending on what the client is and I
don't see any requirement for doing this or any configuration for the
IP ranges in use in each location for the internal freeipa dns servers
to be able to do this.
I am confused, especially with the values in the config files below.
What is your IPA realm?
IPA deployment requirements are to have a unique Kerberos realm and
corresponding primary DNS domain for it. If you have Kerberos realm
XYZ.NET, then xyz.net is the primary DNS domain for this deployment. It
might have no IPA servers and clients but it must have DNS records
required for Kerberos and LDAP discovery in it.
Man page for ipa-server-install(1) has this documented:
-n DOMAIN_NAME, --domain=DOMAIN_NAME
The primary DNS domain of the IPA deployment, e.g.
example.com. This DNS domain should contain the SRV records
generated by
the IPA server installer. The specified DNS domain must not
contain DNS
records of any other LDAP or Kerberos based management system
(like
Active Directory or MIT Kerberos).
It is strongly recommended to use a lower-cased name of the IPA
Kerberos realm name.
The primary DNS domain name cannot be changed after the
installation.
Most of the code actually assumes realm <> primary DNS domain being the
same and derive LDAP suffix (dc=xyz,dc=net) from the realm (XYZ.NET).
For other DNS domains you can direct Kerberos libraries to look for the
right DNS domain by TXT record _kerberos:
_kerberos.redstation.xyz. 86400 IN TXT "XYZ.NET"
If XYZ.NET is already used for some other Kerberos deployment (e.g.
Active Directory), then IPA realm cannot be XYZ.NET.
2
After the ipa-client-install has run I see the following lines in the
sssd.conf file and these appear correct and I see mention of _srv_ so
it looks like it will use srv records and fail over if one of the
server dies so no issues there.
ipa_server = _srv_,
rsnfreeipa01b.redstation.xyz.net
ipa_domain = redstation.xyz.net
/etc/ipa/default.conf contains these config lines though
[global]
basedn = dc=xyz,dc=net
realm = XYZ.NET
domain = redstation.xyz.net
server = rsnfreeipa01b.redstation.xyz.net
host = ssotesting.redstation.xyz.net
xmlrpc_uri = https://rsnfreeipa01b.redstation.xyz.net/ipa/xml
enable_ra = True
The server and xmlrpc_uri lines are hard coded to use a specific freeipa server.
If this server dies won't this fail?
Shouldn't the client installer have specified both servers if this
configuration file supports that?
Krb5.conf contains this configuration. This generally looks ok but perhaps
dns_lookups_realm is the cause of the earlier error and perhaps I am missing a
install-ipa-client parameter.
The issue being that the xyz.net domain is common and in use across all of our
locations and having to add SRV _kerberos._udp.XYZ.NET records which are
different in each location would prove very difficult.
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = XYZ.NET
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
XYZ.NET = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.redstation.xyz.net = XYZ.NET
redstation.xyz.net = XYZ.NET
ssotesting.redstation.xyz.net = XYZ.NET
Am I going down the wrong path and there is a better way to do this?
I thought of using ipa.xyz.com together with the info at
https://www.freeipa.org/page/Howto/IPA_locations but the problem with
that is if I use a dedicated domain for ipa then the ipa-client-install
auto discovery won't work and I will need to apecify the domain name.
It would also not solve the issue of requiring unique per location
records for SRV _kerberos._udp.ipa.XYZ.NET or the apparent non
redundant config in /etc/ipa/default.conf
Thanks
Gareth
Gareth Blades
System Administrator
w: eseye.com
LinkedIn | Twitter |
YouTube |
Blog
This email is from Eseye
, Guildford, Surrey, United Kingdom. Registered in England and Wales - number
06397669. VAT: GB921298326. ISO 27001: 2013 Certified.
Eseye accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided
unless that information is subsequently confirmed in writing. Any views or
opinions presented in this email are solely those of the author and do not
necessarily represent those of the company. If you are not the intended
recipient, please notify the sender and delete this email and any attachments.
Eseye, Infinity IoT Platform, AnyNet, AnyNet Secure and Eseye Logos are
registered trademarks. © 2025 Eseye Limited. All rights reserved.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
