This is fixed. Found an issue with BIND Update Policy and got some reference from " https://www.redhat.com/archives/freeipa-users/2015-May/msg00399.html" . Working fine now.
grant KLIKPAY.INT krb5-self * A; grant KLIKPAY.INT krb5-self * AAAA; grant KLIKPAY.INT krb5-self * SSHFP; *Best Regards,* *__________________________________________* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Thu, Jan 7, 2016 at 5:13 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > List, > > I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*. > We have few hosts/client in another domain *sd.int <http://sd.int>. *As > the number of servers are very few we do not want to have a new FreeIPA > server for same, and I think having a common will be easy to manage. > > I have create a separate forward and reverse zone for sd.int, and able to > register the server successfully, but somehow, while registering a client, > we noticed that the sd.int domain servers are still going in klikpay.int > realm only. Further, they are not getting registered with DNS also. > > > Below are the some test I executed: > > Test-1 > > *ipa-client-install --principal=admin --password=xxxxxxxxxxxxx --mkhomedir > --no-ntp* > DNS discovery failed to determine your DNS domain > Provide the domain name of your IPA server (ex: example.com): > > > Test-2 > > > *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx > --mkhomedir --no-ntp --domain=sd.int <http://sd.int>* > Provide your IPA server name (ex: ipa.example.com): > ipa-inf-prd-sg1-01.klikpay.int > Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > However, I can confirm all ports are reachable > > *# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int > <http://ipa-inf-prd-sg1-01.klikpay.int> $i;done* > Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd] > succeeded! > > > Test-3: > > *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx > --mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int> > --nisdomain=sd.int <http://sd.int>* > Discovery was successful! > Hostname: imsadmin-app-prd-sg1-01.sd.int > Realm: KLIKPAY.INT > DNS Domain: klikpay.int > IPA Server: ipa-inf-prd-ng2-02.klikpay.int > BaseDN: dc=klikpay,dc=int > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=KLIKPAY.INT > Issuer: CN=Certificate Authority,O=KLIKPAY.INT > Valid From: Fri Aug 14 11:39:47 2015 UTC > Valid Until: Tue Aug 14 11:39:47 2035 UTC > > *Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>* > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm KLIKPAY.INT > trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml > Forwarding 'env' to server u' > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > *Hostname (imsadmin-app-prd-sg1-01.sd.int > <http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS* > *Failed to update DNS records.* > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to server u' > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > Could not update DNS SSHFP records. > SSSD enabled > Configuring sd.int as NIS domain > Configured /etc/openldap/ldap.conf > Configured /etc/ssh/ssh_config > Configured /etc/ssh/sshd_config > Client configuration complete. > > > > Would be helpful I can get some reference as how can we do it. > > > > *Best Regards,* > > *__________________________________________* > > *Yogesh Sharma* > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in/> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks0000> <http://in.linkedin.com/in/yks0000> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project