Hi, Many thanks to everyone who offered advice on this. My problem appears to be fixed.
My solution was to change the TXT record defining the Kerberos realm to ensure the realm name was in upper case, in quotes, and did not have a trailing period: _kerberos.my.domain. IN TXT "GRIDPP.RL.AC.UK" I'm not sure which of these changes was the critical one (maybe all!), but the upshot is that I can now enrol clients using service discovery. Thanks again for your help. Rob > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of rob.har...@stfc.ac.uk > Sent: 19 January 2015 15:54 > To: firstname.lastname@example.org > Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on > externally managed DNS > > Hi all, > > I have successfully set up a test FreeIPA server and run it for a while, but > the > time has come to move towards a production service. I am currently running > ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, > Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I > know this is an older FreeIPA, but I am going through the path of least > resistance given our site's current standard configuration. > > On our site there is a central DNS service and it is unlikely we will be > allowed > to run our own DNS service (other than as a slave/cacheing NS). > > I have been trying to set up SRV records for the FreeIPA server by providing > the autogenerated zone file to our DNS manager, who has incorporated the > configuration. When we deployed these changes, I used dig to confirm that > SRV queries were giving appropriate responses, which they appear to be. > > I then tried setting up a client using ipa-client-install and got an error: > > Failed to verify that freeipa01.<munged.domain> is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > > The install worked on a client before deploying the SRV records, using > manual specification of the server. I disabled iptables on the server to > eliminate potential problems there, and got the same result. If we disable > the SRV records, I am able to do the manual set-up again. > > So it looks like the problem is at the DNS end of things, so maybe our zone > configuration is missing something. > > The zone config we currently have in place is as follows (we changed > hostnames in the sample file to fqdns for this attempt, but the same > symptoms came from bare hostnames)... > > ; ldap servers > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. > ; > ; kerberos realm > _kerberos.my.domain. IN TXT my.domain. > ; > ; kerberos servers > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. > ; > ; ntp server > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. > > > ...So that is where I am. I was hoping that someone could give me a pointer > or two as to how I might debug this problem and actually get service > discovery working. > > Many thanks for reading this far! > > Rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project