Ah, thanks! I see what's going on now. That helps a lot. I think what I was missing was the reluctance for IPA to serve domains that are not proper TLDs. I generally maintain internal security domains with an invented TLD since they are secure by definition. When I tried that today, it was unable to auto discover on this domain and I attributed it to the lack of SRV records.
Thanks for setting me straight! Brian > On May 4, 2015, at 3:43 PM, Petr Spacek <pspa...@redhat.com> wrote: > > On 4.5.2015 10:23, Brian Topping wrote: >> On second view, I think my brain misfiled this. Maybe the records were >> not set up automatically, another DNS domain I thought had the records in >> fact do not. >> >> As a feature request, it seems like if a domain is added to "Domain >> Realms", it should also get the appropriate records for client >> autodiscovery. > > It is actually not necessary to create all the SRV records in all domains. > > Client auto-discovery is using the TXT record which is added automatically > and the _kerberos TXT record is like 'redirect'. > > The procedure is: > - client client1.sub.example.com <http://client1.sub.example.com/>. searches > for record > _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT > - _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT contains > realm name "EXAMPLE.COM <http://example.com/>" > - now the client knows that all the SRV records are inside example.com > <http://example.com/>. domain > - SRV records from example.com <http://example.com/>. are used from now on > > AFAIK this is very standard Kerberos behavior so it should work for all > standard-compliant clients. > > Petr^2 Spacek > >> Cheers, Brian >> >>> On May 4, 2015, at 3:03 PM, Brian Topping <brian.topp...@gmail.com> >>> wrote: >>> >>> I just added a new domain and didn't see the SRV records added for it. >>> There is a TXT record, but none of the SRV records that are in other >>> DNS domains. >>> >>> After going to the "Realm Domains tab of the "IPA Server" >>> configuration, I see that the new domain was already added there, so I >>> removed it and added it back, hoping that might cause the SRV records >>> to be added, but no luck. >>> >>> Any ideas what I should check for? >>> >>> Thanks, Brian > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > <https://www.redhat.com/mailman/listinfo/freeipa-users> > Go to http://freeipa.org <http://freeipa.org/> for more info on the project
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project