On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: > Hello! > > I've tried to setup my IPA server to work on multiple domain env, for > the example, I have 20 instance/servers using mydomain.co.id then I have > another 10 instance/servers using mydomain.com, I want to manage both of > them on same IPA server.
This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. > On instance with mydomain.com, I've setup and point my DNS to the IPA > Server, the DNS Discovery was failed, but if I entered IPA server > address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. > > --- > [root@joyoboyo ~]# getent passwd dewangga > dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash > [root@joyoboyo ~]# uname -a > Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 > 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux > --- > > Is it normal? Or is there another configuration on krb5.conf? I found > something interesting on [domain_realm] section, but before I changes > them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. > > Thanks for any help and comments, this is my first time to configure IPA > Server :D Good, I hope you like it :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
