On 19.1.2015 16:54, rob.har...@stfc.ac.uk wrote:
> Hi all,
> I have successfully set up a test FreeIPA server and run it for a while, but
> the time has come to move towards a production service. I am currently
> running ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't
> know it, Scientific Linux is basically a rebuild of RedHat, much like
> CentOS). Yes, I know this is an older FreeIPA, but I am going through the
> path of least resistance given our site's current standard configuration.
> On our site there is a central DNS service and it is unlikely we will be
> allowed to run our own DNS service (other than as a slave/cacheing NS).
> I have been trying to set up SRV records for the FreeIPA server by providing
> the autogenerated zone file to our DNS manager, who has incorporated the
> configuration. When we deployed these changes, I used dig to confirm that
> SRV queries were giving appropriate responses, which they appear to be.
> I then tried setting up a client using ipa-client-install and got an error:
> Failed to verify that freeipa01.<munged.domain> is an IPA Server.
> This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.
> The install worked on a client before deploying the SRV records, using manual
> specification of the server. I disabled iptables on the server to eliminate
> potential problems there, and got the same result. If we disable the SRV
> records, I am able to do the manual set-up again.
> So it looks like the problem is at the DNS end of things, so maybe our zone
> configuration is missing something.
> The zone config we currently have in place is as follows (we changed
> hostnames in the sample file to fqdns for this attempt, but the same symptoms
> came from bare hostnames)...
> ; ldap servers
> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
> ; kerberos realm
> _kerberos.my.domain. IN TXT my.domain.
> ; kerberos servers
> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> ; ntp server
> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
> ...So that is where I am. I was hoping that someone could give me a pointer
> or two as to how I might debug this problem and actually get service
> discovery working.
> Many thanks for reading this far!
Interesting. Please provide us with information listed on
Additionally not-obfuscated output from dig could help too.
Also, please keep in mind that:
1) Log obfuscation will make debugging harder for us.
2) Obfuscating DNS names does not bring any real security.
Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is in
Have a nice day!
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project