On 19.1.2015 16:54, rob.har...@stfc.ac.uk wrote:
> Hi all,
> I have successfully set up a test FreeIPA server and run it for a while, but 
> the time has come to move towards a production service.  I am currently 
> running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't 
> know it, Scientific Linux is basically a rebuild of RedHat, much like 
> CentOS).  Yes, I know this is an older FreeIPA, but I am going through the 
> path of least resistance given our site's current standard configuration.
> On our site there is a central DNS service and it is unlikely we will be 
> allowed to run our own DNS service (other than as a slave/cacheing NS). 
> I have been trying to set up SRV records for the FreeIPA server by providing 
> the autogenerated zone file to our DNS manager, who has incorporated the 
> configuration.  When we deployed these changes, I used dig to confirm that 
> SRV queries were giving appropriate responses, which they appear to be.
> I then tried setting up a client using ipa-client-install and got an error:
> Failed to verify that freeipa01.<munged.domain> is an IPA Server.
> This may mean that the remote server is not up or is not reachable due to 
> network or firewall settings.
> The install worked on a client before deploying the SRV records, using manual 
> specification of the server.  I disabled iptables on the server to eliminate 
> potential problems there, and got the same result.  If we disable the SRV 
> records, I am able to do the manual set-up again.
> So it looks like the problem is at the DNS end of things, so maybe our zone 
> configuration is missing something.  
> The zone config we currently have in place is as follows (we changed 
> hostnames in the sample file to fqdns for this attempt, but the same symptoms 
> came from bare hostnames)...
> ; ldap servers
> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
> ;
> ; kerberos realm
> _kerberos.my.domain. IN TXT my.domain.
> ;
> ; kerberos servers
> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> ;
> ; ntp server
> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
> ...So that is where I am.  I was hoping that someone could give me a pointer 
> or two as to how I might debug this problem and actually get service 
> discovery working.
> Many thanks for reading this far!

Interesting. Please provide us with information listed on

Additionally not-obfuscated output from dig could help too.

Also, please keep in mind that:
1) Log obfuscation will make debugging harder for us.
2) Obfuscating DNS names does not bring any real security.

Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is in
there ...

Have a nice day!

Petr^2 Spacek

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to