On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote:
> On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce <s...@redhat.com> wrote:
> > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
> > > -I'm going to set up the IPA server with a new realm;
> > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record
> > > up there for that?  If so, what?)
> >
> > If your DNS people want to manually mange DNS for you then they need to
> > create the unix.mydomain.com zone and manually create SRV and TXT
> > records for kerberos and ldap IPA servers.
> Is there a doc that explains what those SRV and TXT records need to look like?

When you install freeipa it will generate a zone file if DNS is not
installed as well, that's probably the most complete example.

> > > -I'm going to try registering testserver.mycompany.com server as part
> > > of the UNIX.MYCOMPANY.COM realm.
> > >
> > > Sound reasonable and/or sane?  :-)
> >
> > for the ipa server it should be in the unix.mydomain.com DNS zone to be
> > useful.
> The IPA server needs to be part of the unix.mycompany.com domain,
> then, and the IPA clients do not?

The simplest setup is when all clients are part of the same DNS zone
which is not shared with an AD setup.
Unlike AD we do not force all client to be positioned in the same DNS
zone, however if you have clients not belonging to the same DNS domain
you may have to change the krb5.conf file on all members of the realm to
add additional [domain_realm] mappings so that you can tell that clients
in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm
and its KDC.
We are going to make it simpler to add these domains centrally in
FreeIPA and have SSSD automatically provide these appings on all
clients, but this work is being done in v 3.0. For now it needs to be
manually configured on each client.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to