On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: > Hello! > > On 05/20/2015 05:30 PM, Martin Kosek wrote: >> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I've tried to setup my IPA server to work on multiple domain env, for >>> the example, I have 20 instance/servers using mydomain.co.id then I have >>> another 10 instance/servers using mydomain.com, I want to manage both of >>> them on same IPA server. >> >> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS >> TXT record with the ream, Kerberos client should be able to find the right >> IPA >> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA >> versions add this record to owned DNS zones automatically. > > TXT record said like this : > > $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw > > .. some content skipped .. > > $ORIGIN mydomain.com. > _kerberos TXT "MYDOMAIN.CO.ID" > joyoboyo A 103.xx.yy.98 > liquid A 103.xx.yy.100 > > Should I changes it? Or leave it as is?
If this is the alternate DNS domain (REALM != DNS domain name), this should be fine and Kerberos client should be able to tell which KDC/realm is responsible for this domain. >>> On instance with mydomain.com, I've setup and point my DNS to the IPA >>> Server, the DNS Discovery was failed, but if I entered IPA server >>> address manually, the setup was success. >> >> If autodiscovery with hosts in your alternate domain does not work, you can >> also use just >> >> # ipa-client-install --domain main.ipa.domain.com >> >> and it should find the IPA server. >> >>> >>> --- >>> [root@joyoboyo ~]# getent passwd dewangga >>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash >>> [root@joyoboyo ~]# uname -a >>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 >>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>> --- >>> >>> Is it normal? Or is there another configuration on krb5.conf? I found >>> something interesting on [domain_realm] section, but before I changes >>> them, better I ask to the mailing list. >> >> What I see above looks normal to me. [domain_realm] manual mapping can be >> used >> if you have DNS autodiscovery disabled or you miss the DNS TXT record for >> Kerberos, IIRC. >> >>> >>> Thanks for any help and comments, this is my first time to configure IPA >>> Server :D >> >> Good, I hope you like it :-) >> > > And what if I setup replica IPA server, did mydomain.com will be > distributed to another replicated IPA server? Yup, all IPA data are replicated between masters. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
