The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used
is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD).
Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records -
company DNS server returned /polaris.prague.s3group.com/ (this rendered the error on KDC) for the IP of the IPA server whereas the correct
one should be /polaris.example.com /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company
DNS, it did not work. I had to fix resolv.conf manually to make it working.
Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a
forward rule for 'example.com' domain. Therefore, once I ran
The resolver is a bit of a chicken and egg problem. Hard to look anything up if
you don't have one configured.
The installer should prompt that the detected settings are ok. Were they ok and
we still went to the wrong place?
# ipa-client-install --domain=example.com
.. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong
names from its reverse zone.
I believe it should be fairly easy for the installer to do few sanity checks to
see whether the reverse DNS lookup works well...
Freeipa-users mailing list