On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
So which way do I go?
1) Change the server VM`s hostname from "ipa1.eurosel.az" to
"ipa1.ipa.eurosel.az" prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and
specify a different FQDN and domain part of the IPA server after
issuing IPA installation command?
Yes, I know - this is a question Homer Simpson would ask.
Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with
integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
IPA.EUROSEL.AZ.
If you want later to see how this setup scales, all you would need to do
is to make sure the other clients would use ipa1.ipa.eurosel.az as a
resolver.
14-Oct-14 17:43, Petr Spacek пишет:
On 14.10.2014 13:48, Orkhan Gasimov wrote:
I need further assistance with this moment:
"specify IPA domain name which is sub-domain of you existing
domain (e.g.
ipa.eurosel.az) ".
Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:
"ipa-server-install --setup-dns --forwarder <ip address of your
*existing* DNS
server>",
the installation program detects the hostname of the VM
(ipa1.eurosel.az) and
offers it as IPA server FQDN;
then it offers "eurosel.az" as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
ipa.eurosel.az), but then there will be a conflict with the real
hostname and
records in the /etc/hosts file.
On the other hand, if I change the hostname of the server VM to
"ipa1.ipa.eurosel.az" prior to running the IPA installation
program, then the
installation program will offer my server an FQDN of
"ipa1.ipa.eurosel.az" and
a domain name of "ipa.eurosel.az". But doesn`t it mean that my client`s
hostname should also be changed to bsd1.ipa.eurosel.az? I`d like
to avoid
this, because in production I won`t be able to change the domain
part of FQDN
for hundreds of clients.
Clients don't need to be in the same domain as IPA. The IPA domain
in DNS is necessary to store 'metadata' like SRV and TXT records
etc.
You can even experiment with IPA servers which are not in the IPA
domain but I'm not sure how much it was tested.
Alexander can add more details about records required for AD
integration and how it should work with clients which are not in the
IPA domain.
Petr^2 Spacek
14-Oct-14 16:29, Petr Spacek пишет:
On 14.10.2014 11:49, Orkhan Gasimov wrote:
I suspected that problems could arise with DNS, and here they are...
In fact, this entire string: "ipa_server = _srv_ #our FreeIPA
server has DNS
SRV entries" was taken as-is from the how-to on FreeBSD
forums. First I
commented it out, because was unsure sure if it was
appropriate for my simple
setup with just 2 VMs and and a bunch of records in /etc/hosts
file. After
starting sssd, I could get no IPA data with"getent passwd" or
"getent group"
commands. They I uncommented it and restarted sssd, but things
remained the
same.
Now your advice is: "...add IP address or hostname to the
option ipa_server",
but you use an arbitrary name like "vm-120.eurosel.az". Could
you please
explain which host`s FQDN I should put there? If I use
"ipa1.eurosel.az", then
sssd won`t start (complains about "...Looping detected inside
krb5_get_in_tkt...").
If it MUST be a DNS server, then everything changes. And the
question then
becomes: is it possible to set up a test FreeIPA client-server
interaction
using only 2 VMs and proper records in /etc/hosts instead of a
DNS server? Or
one MUST add a third VM and make it a DNS server to facilitate
client-server
interaction?
IPA theoretically can work without DNS records but it requires
very careful
configuration on clients and is strongly discouraged.
If you want to do quick & dirty test, do this:
$ ipa-server-install --setup-dns --forwarder <ip address of your
*existing*
DNS server>
+ specify IPA domain name which is sub-domain of you existing
domain (e.g.
ipa.eurosel.az)
+ change /etc/resolv.conf on *all* clients to point to IPA server
*This is a dirty trick* and it will not work unless all your
clients has the
IPA server in resolv.conf. It will most likely break when you
try to use AD
trust with AD clients etc.
*In production environment* you should add NS records for
ipa.eurosel.az
domain to the parent DNS zone to create proper delegation. In
that case you
don't need to fiddle with resolv.conf on all clients.
Let me know if you need further assistance.
Petr^2 Spacek
14-Oct-14 12:58, Lukas Slebodnik пишет:
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:
1. Putting "debug_level = 7" either in [domain] or/and
[nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the
log. The log file
located at /var/log/sssd/sssd.log is only populated with
data when I make
some errors in sssd.conf & sssd process fails to start.
But that`s the case
only if I deliberately introduce some errors; with current
configuration
sssd
starts successfully.
2. My original sssd.conf (without debugs) is as follows
(exact copy of what
was shown in the post at FreeBSD forums):
-----------------------------------------
[domain/mydomain.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
'_ldap._tcp.eurosel.az'
...
[resolve_srv_done] (0x0020): SRV query failed: [Domain name
not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of
service 'IPA' as 'not
resolved'
[be_resolve_server_process] (0x0080): Couldn't resolve
server (SRV lookup
meta-server), resolver returned (5)
DNS discovery of IPA server failed, becuase you just
configured few hostnames
in /etc/hosts
You can add IP address or hostname to the option ipa_server
e.g.
ipa_server = _srv_, vm-120.eurosel.az
BTW In my opinion, it is better to have comment before the
optiona and not on
the same line :-)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
