On 19.1.2015 16:54, rob.har...@stfc.ac.uk wrote: > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but > the time has come to move towards a production service. I am currently > running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't > know it, Scientific Linux is basically a rebuild of RedHat, much like > CentOS). Yes, I know this is an older FreeIPA, but I am going through the > path of least resistance given our site's current standard configuration. > > On our site there is a central DNS service and it is unlikely we will be > allowed to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by providing > the autogenerated zone file to our DNS manager, who has incorporated the > configuration. When we deployed these changes, I used dig to confirm that > SRV queries were giving appropriate responses, which they appear to be. > > I then tried setting up a client using ipa-client-install and got an error: > > Failed to verify that freeipa01.<munged.domain> is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > > The install worked on a client before deploying the SRV records, using manual > specification of the server. I disabled iptables on the server to eliminate > potential problems there, and got the same result. If we disable the SRV > records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our zone > configuration is missing something. > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same symptoms > came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am. I was hoping that someone could give me a pointer > or two as to how I might debug this problem and actually get service > discovery working. > > Many thanks for reading this far!
Interesting. Please provide us with information listed on http://www.freeipa.org/page/Troubleshooting#Client_Installation Additionally not-obfuscated output from dig could help too. Also, please keep in mind that: 1) Log obfuscation will make debugging harder for us. 2) Obfuscating DNS names does not bring any real security. Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is in there ... Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project