On 06/24/2013 08:32 PM, Vitaly wrote:
> Sorry for probably stupid question, but if in general
> ipaclient.staging.example.com <http://ipaclient.staging.example.com>
> host may be a member in prod.example.com <http://prod.example.com>
> domain?

Sure, you just need to have properly configured /etc/krb5.conf (namely
[domain_realm] mapping) and /etc/sssd/sssd.conf to look up the clients in this
domain.

I tested this with freeipa-client-3.1.4-1.fc18.x86_64, ipa-client-install does
that for you:

# hostname
client.example.com

# ipa-client-install --domain ipa.domain.test
Discovery was successful!
Hostname: client.example.com
Realm: IPA.DOMAIN.TEST
DNS Domain: ipa.domain.test
IPA Server: server1.ipa.domain.test
BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com

Continue to configure the system with these values? [no]: y
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@ipa.domain.test:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.DOMAIN.TEST
    Issuer:      CN=Certificate Authority,O=IPA.DOMAIN.TEST
    Valid From:  Wed Jun 19 20:11:11 2013 UTC
    Valid Until: Sun Jun 19 20:11:11 2033 UTC

Enrolled in IPA realm IPA.DOMAIN.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.DOMAIN.TEST
trying https://server1.ipa.domain.test/ipa/xml
Hostname (client.example.com) not found in DNS
Failed to update DNS records.
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server 'https://server1.ipa.domain.test/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

# cat /etc/sssd/sssd.conf
[domain/ipa.domain.test]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.domain.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = client.example.com
chpass_provider = ipa
ipa_server = _srv_, server1.ipa.domain.test
dns_discovery_domain = ipa.domain.test
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = ipa.domain.test
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.DOMAIN.TEST
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  IPA.DOMAIN.TEST = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .ipa.domain.test = IPA.DOMAIN.TEST
  ipa.domain.test = IPA.DOMAIN.TEST
  .example.com = IPA.DOMAIN.TEST
  example.com = IPA.DOMAIN.TEST



HTH,
Martin

> 
> 
> On Thu, Jun 20, 2013 at 10:34 AM, Vitaly <li...@karasik.org
> <mailto:li...@karasik.org>> wrote:
> 
>     >Is KDC resolvable from the client?
>     yes, there is DNS resolving for "serv02.prod.example.com
>     <http://serv02.prod.example.com>" on client.
> 
>     >Do you have an AD DNS that might be actually serving records?
>     no, I don't AD DNS for prod.example.com <http://prod.example.com>
>     >What version of the client and what OS are you using?
> 
>     On the client:
>     ipa-client-2.0-10.el5_6.1
>     Red Hat Enterprise Linux Server release 5.6 (Tikanga)
> 
>     On IPA server :
> 
>     ipa-pki-common-theme-9.0.3-7.el6.noarch
> 
>     ipa-pki-ca-theme-9.0.3-7.el6.noarch
> 
>     libipa_hbac-1.5.1-66.el6_2.3.x86_64
> 
>     libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
> 
>     ipa-python-2.1.3-9.el6.x86_64
> 
>     ipa-client-2.1.3-9.el6.x86_64
> 
>     ipa-server-selinux-2.1.3-9.el6.x86_64
> 
>     ipa-admintools-2.1.3-9.el6.x86_64
> 
>     ipa-server-2.1.3-9.el6.x86_64
> 
>     Red Hat Enterprise Linux Server release 6.2 (Santiago)
> 
>     Thank you,
>     Vitaly
> 
> 
>     On Wed, Jun 19, 2013 at 7:45 PM, Dmitri Pal <d...@redhat.com
>     <mailto:d...@redhat.com>> wrote:
>     > On 06/19/2013 10:32 AM, Vitaly wrote:
>     >
>     >
>     > ipa-client-install fails with "Cannot resolve network address for KDC"
>     > message.
>     > I don't have SRV records, but I provide  IPA server name via "--server"
>     > param.
>     > any ideas?
>     >
>     > TIA,
>     > Vitaly
>     >
>     > 2013-06-19 13:58:39,113 DEBUG Loading Index file from
>     > '/var/lib/ipa-client/sysrestore/sysrestore.index'
>     > 2013-06-19 13:58:39,113 DEBUG [ipacheckldap]
>     > 2013-06-19 13:58:39,113 DEBUG Init ldap with:
>     > ldap://serv02.prod.example.com:389 <http://serv02.prod.example.com:389>
>     > 2013-06-19 13:58:39,193 DEBUG Search rootdse
>     > 2013-06-19 13:58:39,233 DEBUG Search for (info=*) in
>     > dc=prod,dc=example,dc=com(base)
>     > 2013-06-19 13:58:39,272 DEBUG Found: [('dc=prod,dc=example,dc=com',
>     > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
>     > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
>     > ['prod.example.com <http://prod.example.com>'], 'dc': ['prod'],
>     'nisDomain': ['prod.example.com <http://prod.example.com>']})]
>     > 2013-06-19 13:58:39,272 DEBUG Search for 
> (objectClass=krbRealmContainer) in
>     > dc=prod,dc=example,dc=com(sub)
>     > 2013-06-19 13:58:39,313 DEBUG Found:
>     > [('cn=PROD.EXAMPLE.COM
>     <http://PROD.EXAMPLE.COM>,cn=kerberos,dc=prod,dc=example,dc=com',
>     > {'krbSubTrees': ['dc=prod,dc=example,dc=com'], 'cn': ['PROD.EXAMPLE.COM
>     <http://PROD.EXAMPLE.COM>'],
>     > 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special',
>     > 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': 
> ['top',
>     > 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
>     > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
>     > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
>     > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
>     > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
>     > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
>     > 'krbMaxRenewableAge': ['604800']})]
>     > 2013-06-19 13:58:52,031 INFO args=/usr/kerberos/bin/kinit
>     > vm4.stage.example....@prod.example.com
>     <mailto:vm4.stage.example....@prod.example.com>
>     > 2013-06-19 13:58:52,032 INFO stdout=
>     > 2013-06-19 13:58:52,032 INFO stderr=kinit(v5): Cannot resolve network
>     > address for KDC in realm PROD.EXAMPLE.COM <http://PROD.EXAMPLE.COM> 
> while
>     getting initial credentials
>     >
>     > 2013-06-19 13:58:52,065 INFO args=/usr/kerberos/bin/kdestroy
>     > 2013-06-19 13:58:52,065 INFO stdout=
>     > 2013-06-19 13:58:52,065 INFO stderr=kdestroy: No credentials cache found
>     > while destroying cache
>     > ~
>     > ~
>     > ~
>     > ~
>     > ~
>     > ~
>     > ~
>     >
>     >
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>     >
>     >
>     > Is KDC resolvable from the client?
>     >
>     > --
>     > Thank you,
>     > Dmitri Pal
>     >
>     > Sr. Engineering Manager for IdM portfolio
>     > Red Hat Inc.
>     >
>     >
>     > -------------------------------
>     > Looking to carve out IT costs?
>     > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>     >
>     >
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to