Yes, of course. I will add NS record to parent zone if my IPA server are ready for production. :D
Thanks for any comments and help. Cheers! :) On 05/20/2015 06:02 PM, Petr Spacek wrote: > On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: >> Thanks Martin, >> >> Better I leave the configuration as is :D >> >> So, If I want to add another domain, I just add and point them to master >> IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using >> `ipa dnsrecord-add`. >> >> Isn't it? > > Yes, + you have to add NS record *to the parent zone* so all clients know > which servers are responsible for the new domain. > > Petr^2 Spacek > >> >> On 05/20/2015 05:42 PM, Martin Kosek wrote: >>> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> On 05/20/2015 05:30 PM, Martin Kosek wrote: >>>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >>>>>> Hello! >>>>>> >>>>>> I've tried to setup my IPA server to work on multiple domain env, for >>>>>> the example, I have 20 instance/servers using mydomain.co.id then I have >>>>>> another 10 instance/servers using mydomain.com, I want to manage both of >>>>>> them on same IPA server. >>>>> >>>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" >>>>> DNS >>>>> TXT record with the ream, Kerberos client should be able to find the >>>>> right IPA >>>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA >>>>> versions add this record to owned DNS zones automatically. >>>> >>>> TXT record said like this : >>>> >>>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw >>>> >>>> .. some content skipped .. >>>> >>>> $ORIGIN mydomain.com. >>>> _kerberos TXT "MYDOMAIN.CO.ID" >>>> joyoboyo A 103.xx.yy.98 >>>> liquid A 103.xx.yy.100 >>>> >>>> Should I changes it? Or leave it as is? >>> >>> If this is the alternate DNS domain (REALM != DNS domain name), this should >>> be >>> fine and Kerberos client should be able to tell which KDC/realm is >>> responsible >>> for this domain. >>> >>>>>> On instance with mydomain.com, I've setup and point my DNS to the IPA >>>>>> Server, the DNS Discovery was failed, but if I entered IPA server >>>>>> address manually, the setup was success. >>>>> >>>>> If autodiscovery with hosts in your alternate domain does not work, you >>>>> can >>>>> also use just >>>>> >>>>> # ipa-client-install --domain main.ipa.domain.com >>>>> >>>>> and it should find the IPA server. >>>>> >>>>>> >>>>>> --- >>>>>> [root@joyoboyo ~]# getent passwd dewangga >>>>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash >>>>>> [root@joyoboyo ~]# uname -a >>>>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 >>>>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux >>>>>> --- >>>>>> >>>>>> Is it normal? Or is there another configuration on krb5.conf? I found >>>>>> something interesting on [domain_realm] section, but before I changes >>>>>> them, better I ask to the mailing list. >>>>> >>>>> What I see above looks normal to me. [domain_realm] manual mapping can be >>>>> used >>>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for >>>>> Kerberos, IIRC. >>>>> >>>>>> >>>>>> Thanks for any help and comments, this is my first time to configure IPA >>>>>> Server :D >>>>> >>>>> Good, I hope you like it :-) >>>>> >>>> >>>> And what if I setup replica IPA server, did mydomain.com will be >>>> distributed to another replicated IPA server? >>> >>> Yup, all IPA data are replicated between masters. >>> >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
