On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: > Thanks Martin, > > Better I leave the configuration as is :D > > So, If I want to add another domain, I just add and point them to master > IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using > `ipa dnsrecord-add`. > > Isn't it?
Yes, + you have to add NS record *to the parent zone* so all clients know which servers are responsible for the new domain. Petr^2 Spacek > > On 05/20/2015 05:42 PM, Martin Kosek wrote: >> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> On 05/20/2015 05:30 PM, Martin Kosek wrote: >>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >>>>> Hello! >>>>> >>>>> I've tried to setup my IPA server to work on multiple domain env, for >>>>> the example, I have 20 instance/servers using mydomain.co.id then I have >>>>> another 10 instance/servers using mydomain.com, I want to manage both of >>>>> them on same IPA server. >>>> >>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" >>>> DNS >>>> TXT record with the ream, Kerberos client should be able to find the right >>>> IPA >>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA >>>> versions add this record to owned DNS zones automatically. >>> >>> TXT record said like this : >>> >>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw >>> >>> .. some content skipped .. >>> >>> $ORIGIN mydomain.com. >>> _kerberos TXT "MYDOMAIN.CO.ID" >>> joyoboyo A 103.xx.yy.98 >>> liquid A 103.xx.yy.100 >>> >>> Should I changes it? Or leave it as is? >> >> If this is the alternate DNS domain (REALM != DNS domain name), this should >> be >> fine and Kerberos client should be able to tell which KDC/realm is >> responsible >> for this domain. >> >>>>> On instance with mydomain.com, I've setup and point my DNS to the IPA >>>>> Server, the DNS Discovery was failed, but if I entered IPA server >>>>> address manually, the setup was success. >>>> >>>> If autodiscovery with hosts in your alternate domain does not work, you can >>>> also use just >>>> >>>> # ipa-client-install --domain main.ipa.domain.com >>>> >>>> and it should find the IPA server. >>>> >>>>> >>>>> --- >>>>> [root@joyoboyo ~]# getent passwd dewangga >>>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash >>>>> [root@joyoboyo ~]# uname -a >>>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 >>>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>>>> --- >>>>> >>>>> Is it normal? Or is there another configuration on krb5.conf? I found >>>>> something interesting on [domain_realm] section, but before I changes >>>>> them, better I ask to the mailing list. >>>> >>>> What I see above looks normal to me. [domain_realm] manual mapping can be >>>> used >>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for >>>> Kerberos, IIRC. >>>> >>>>> >>>>> Thanks for any help and comments, this is my first time to configure IPA >>>>> Server :D >>>> >>>> Good, I hope you like it :-) >>>> >>> >>> And what if I setup replica IPA server, did mydomain.com will be >>> distributed to another replicated IPA server? >> >> Yup, all IPA data are replicated between masters. >> > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
