On Mon, 19 Jan 2015, rob.har...@stfc.ac.uk wrote:
I have successfully set up a test FreeIPA server and run it for a while,
but the time has come to move towards a production service. I am
currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4
(if you don't know it, Scientific Linux is basically a rebuild of
RedHat, much like CentOS). Yes, I know this is an older FreeIPA, but I
am going through the path of least resistance given our site's current
On our site there is a central DNS service and it is unlikely we will be
allowed to run our own DNS service (other than as a slave/cacheing NS).
I have been trying to set up SRV records for the FreeIPA server by
providing the autogenerated zone file to our DNS manager, who has
incorporated the configuration. When we deployed these changes, I used
dig to confirm that SRV queries were giving appropriate responses, which
they appear to be.
I then tried setting up a client using ipa-client-install and got an
Failed to verify that freeipa01.<munged.domain> is an IPA Server. This
may mean that the remote server is not up or is not reachable due to
network or firewall settings.
The install worked on a client before deploying the SRV records, using
manual specification of the server. I disabled iptables on the server
to eliminate potential problems there, and got the same result. If we
disable the SRV records, I am able to do the manual set-up again.
So it looks like the problem is at the DNS end of things, so maybe our
zone configuration is missing something.
The zone config we currently have in place is as follows (we changed
hostnames in the sample file to fqdns for this attempt, but the same
symptoms came from bare hostnames)...
; ldap servers
_ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
; kerberos realm
_kerberos.my.domain. IN TXT my.domain.
this looks odd to me, our central DNS TXT record zone entry looks like
_kerberos 86400 IN TXT "MY.DOMAIN"
where "MY.DOMAIN" is my Kerberos realm (usually the domain name in capital
If you do a
dig +short -t TXT _kerberos.my.domain
it should answer
; kerberos servers
_kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
_kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
_kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
_kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
_kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
_kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
; ntp server
_ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
...So that is where I am. I was hoping that someone could give me a
pointer or two as to how I might debug this problem and actually get
service discovery working.
Mit freundlichen Gruessen/With best regards,
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project