Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: > On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >> Hello! >> >> I've tried to setup my IPA server to work on multiple domain env, for >> the example, I have 20 instance/servers using mydomain.co.id then I have >> another 10 instance/servers using mydomain.com, I want to manage both of >> them on same IPA server. > > This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS > TXT record with the ream, Kerberos client should be able to find the right IPA > server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA > versions add this record to owned DNS zones automatically.
TXT record said like this : $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw .. some content skipped .. $ORIGIN mydomain.com. _kerberos TXT "MYDOMAIN.CO.ID" joyoboyo A 103.xx.yy.98 liquid A 103.xx.yy.100 Should I changes it? Or leave it as is? >> On instance with mydomain.com, I've setup and point my DNS to the IPA >> Server, the DNS Discovery was failed, but if I entered IPA server >> address manually, the setup was success. > > If autodiscovery with hosts in your alternate domain does not work, you can > also use just > > # ipa-client-install --domain main.ipa.domain.com > > and it should find the IPA server. > >> >> --- >> [root@joyoboyo ~]# getent passwd dewangga >> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash >> [root@joyoboyo ~]# uname -a >> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 >> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >> --- >> >> Is it normal? Or is there another configuration on krb5.conf? I found >> something interesting on [domain_realm] section, but before I changes >> them, better I ask to the mailing list. > > What I see above looks normal to me. [domain_realm] manual mapping can be used > if you have DNS autodiscovery disabled or you miss the DNS TXT record for > Kerberos, IIRC. > >> >> Thanks for any help and comments, this is my first time to configure IPA >> Server :D > > Good, I hope you like it :-) > And what if I setup replica IPA server, did mydomain.com will be distributed to another replicated IPA server? Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
