Hello! On 08/11/2015 06:25 PM, Alexander Bokovoy wrote: > On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: >>> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >>>> Hello! >>>> >>>> I'm having problem with different hostname with primary domain on ipa >>>> server. For example, my primary domain is mydomain.co.id, and then if >>>> the server hostname using mydomain.co.id, the dns discover was >>>> sucessfully. >>>> >>>> The problem come if the client hostname using different domain, for >>>> example anotherdomain.com, the dns discovery was failed. Is there any >>>> way to solve it? Should I enter it manually? >>> Details of autodiscovery and suggestions how to configure are explained >>> in the man page for ipa-client-install, section on DNS autodiscovery. >> >> Thanks for your hints, but I have another question after read the man >> pages. The best practice register client to ipa server is using --domain >> or add similar DNS record? > You still would need _kerberos TXT record for runtime Kerberos realm > detection unless your krb5.conf would contain domain_realms entry for > your DNS domain. > > Using --domain option is, of course, easy. > > Yes, using --domain is very easy. >> I've tried to create new record on anotherdomain.com. (eg. original dns >> record was _ldap._tcp.mydomain.co.id, and IP create new record for >> _ldap._tcp.anotherdomain.com). >> >> New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, >> _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, >> _kerberos-master._udp, _kerberos-master._tcp". >> >> anotherdomain.com $ ipa-client-install >> Discovery was successful! >> Hostname: spectre.anotherdomain.com >> Realm: MYDOMAIN.CO.ID >> DNS Domain: anotherdomain.com >> IPA Server: ipa.anotherdomain.com >> BaseDN: dc=merahciptamedia,dc=co,dc=id >> >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Please check that 123 UDP port is opened. >> User authorized to enroll computers: admin >> Password for [email protected]: >> Unable to download CA cert from LDAP. >> Do you want to download the CA cert from >> http://ipa.anotherdomain.com/ipa/config/ca.crt? >> (this is INSECURE) [no]: >> >> Is it safe? Or just use --domain parameter? > I don't think 'Unable to download CA cert from LDAP' is connected to the > problem you have but you should be able to see what was the issue in > /var/log/ipaclient-install.log. > I think the client can't download the ca cert from LDAP because ca.crt was registered on mydomain.co.id (not anotherdomain.com). For the flexibility and my limited knowledge, it is better to use --domain (for now) :D
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
