I have a FreeIPA Server in domain/Realm * <>*.
We have few hosts/client in another domain * <>. *As the
number of servers are very few we do not want to have a new FreeIPA server
for same, and I think having a common will be easy to manage.

I have create a separate forward and reverse zone for, and able to
register the server successfully, but somehow, while registering a client,
we noticed that the domain servers are still going in
realm only. Further, they are not getting registered with DNS also.

Below are the some test I executed:


*ipa-client-install --principal=admin --password=xxxxxxxxxxxxx --mkhomedir
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex:


*ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
--mkhomedir --no-ntp <>*
Provide your IPA server name (ex:
Failed to verify that is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

However, I can confirm all ports are reachable

*# for i in 80 88 389 636 464;do nc -vz
<> $i;done*
Connection to 80 port [tcp/http] succeeded!
Connection to 88 port [tcp/kerberos]
Connection to 389 port [tcp/ldap] succeeded!
Connection to 636 port [tcp/ldaps] succeeded!
Connection to 464 port [tcp/kpasswd]


*ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
--mkhomedir --no-ntp <> <>*
Discovery was successful!
DNS Domain:
IPA Server:
BaseDN: dc=klikpay,dc=int

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=KLIKPAY.INT
    Issuer:      CN=Certificate Authority,O=KLIKPAY.INT
    Valid From:  Fri Aug 14 11:39:47 2015 UTC
    Valid Until: Tue Aug 14 11:39:47 2035 UTC

*Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>*
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm KLIKPAY.INT
Forwarding 'env' to server u''
*Hostname (
<>) not found in DNS*
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Forwarding 'host_mod' to server u''
Could not update DNS SSHFP records.
SSSD enabled
Configuring as NIS domain
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Would be helpful I can get some reference as how can we do it.

*Best Regards,*


*Yogesh Sharma*
*Email: <> | Web:
<> *


<>   <>
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to