List, I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*. We have few hosts/client in another domain *sd.int <http://sd.int>. *As the number of servers are very few we do not want to have a new FreeIPA server for same, and I think having a common will be easy to manage.
I have create a separate forward and reverse zone for sd.int, and able to register the server successfully, but somehow, while registering a client, we noticed that the sd.int domain servers are still going in klikpay.int realm only. Further, they are not getting registered with DNS also. Below are the some test I executed: Test-1 *ipa-client-install --principal=admin --password=xxxxxxxxxxxxx --mkhomedir --no-ntp* DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): Test-2 *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx --mkhomedir --no-ntp --domain=sd.int <http://sd.int>* Provide your IPA server name (ex: ipa.example.com): ipa-inf-prd-sg1-01.klikpay.int Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. However, I can confirm all ports are reachable *# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int <http://ipa-inf-prd-sg1-01.klikpay.int> $i;done* Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd] succeeded! Test-3: *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx --mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int> --nisdomain=sd.int <http://sd.int>* Discovery was successful! Hostname: imsadmin-app-prd-sg1-01.sd.int Realm: KLIKPAY.INT DNS Domain: klikpay.int IPA Server: ipa-inf-prd-ng2-02.klikpay.int BaseDN: dc=klikpay,dc=int Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=KLIKPAY.INT Issuer: CN=Certificate Authority,O=KLIKPAY.INT Valid From: Fri Aug 14 11:39:47 2015 UTC Valid Until: Tue Aug 14 11:39:47 2035 UTC *Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>* Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm KLIKPAY.INT trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml Forwarding 'env' to server u'https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' *Hostname (imsadmin-app-prd-sg1-01.sd.int <http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS* *Failed to update DNS records.* Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring sd.int as NIS domain Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Would be helpful I can get some reference as how can we do it. *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: [email protected] <[email protected]> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
