The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD).
Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records - company DNS server returned / (this rendered the error on KDC) for the IP of the IPA server whereas the correct one should be / /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company DNS, it did not work. I had to fix resolv.conf manually to make it working.

The resolver is a bit of a chicken and egg problem. Hard to look anything up if 
you don't have one configured.

The installer should prompt that the detected settings are ok. Were they ok and 
we still went to the wrong place?

Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a forward rule for '' domain. Therefore, once I ran

# ipa-client-install

.. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong names from its reverse zone.

I believe it should be fairly easy for the installer to do few sanity checks to 
see whether the reverse DNS lookup works well...

Freeipa-users mailing list

Reply via email to