Thanks Martin, Better I leave the configuration as is :D
So, If I want to add another domain, I just add and point them to master IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using `ipa dnsrecord-add`. Isn't it? On 05/20/2015 05:42 PM, Martin Kosek wrote: > On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 05/20/2015 05:30 PM, Martin Kosek wrote: >>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I've tried to setup my IPA server to work on multiple domain env, for >>>> the example, I have 20 instance/servers using mydomain.co.id then I have >>>> another 10 instance/servers using mydomain.com, I want to manage both of >>>> them on same IPA server. >>> >>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS >>> TXT record with the ream, Kerberos client should be able to find the right >>> IPA >>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA >>> versions add this record to owned DNS zones automatically. >> >> TXT record said like this : >> >> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw >> >> .. some content skipped .. >> >> $ORIGIN mydomain.com. >> _kerberos TXT "MYDOMAIN.CO.ID" >> joyoboyo A 103.xx.yy.98 >> liquid A 103.xx.yy.100 >> >> Should I changes it? Or leave it as is? > > If this is the alternate DNS domain (REALM != DNS domain name), this should be > fine and Kerberos client should be able to tell which KDC/realm is responsible > for this domain. > >>>> On instance with mydomain.com, I've setup and point my DNS to the IPA >>>> Server, the DNS Discovery was failed, but if I entered IPA server >>>> address manually, the setup was success. >>> >>> If autodiscovery with hosts in your alternate domain does not work, you can >>> also use just >>> >>> # ipa-client-install --domain main.ipa.domain.com >>> >>> and it should find the IPA server. >>> >>>> >>>> --- >>>> [root@joyoboyo ~]# getent passwd dewangga >>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash >>>> [root@joyoboyo ~]# uname -a >>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 >>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>>> --- >>>> >>>> Is it normal? Or is there another configuration on krb5.conf? I found >>>> something interesting on [domain_realm] section, but before I changes >>>> them, better I ask to the mailing list. >>> >>> What I see above looks normal to me. [domain_realm] manual mapping can be >>> used >>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for >>> Kerberos, IIRC. >>> >>>> >>>> Thanks for any help and comments, this is my first time to configure IPA >>>> Server :D >>> >>> Good, I hope you like it :-) >>> >> >> And what if I setup replica IPA server, did mydomain.com will be >> distributed to another replicated IPA server? > > Yup, all IPA data are replicated between masters. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project