On 22.12.2016 17:53, Brian Candler wrote:
On 20/12/2016 08:07, Petr Spacek wrote:
I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what
can be improved and in which way

The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations

Man page changes and changes in description of installer options are here:
https://github.com/freeipa/freeipa/pull/352

Thank you for working on this.

This is getting clearer, but I would like to expand a little more.

(1) This introduces a concept of an "IPA Primary Domain". Is that just the DNS domain which holds the SRV records which point to the realm's kerberos/ldap servers, or does it have any other function? In other words, what other effects would there be from choosing a different IP Primary Domain?

it holds SRV records, A/AAAA records for CA

LDAP tree is constructed from the domain (cn=accounts,dc=example,dc=com)


Let me give a specific example.

- IPA server hostname is ipa.foo.example.com
- I want to create kerberos realm BAR.EXAMPLE.COM

Which IPA primary domain should I choose?

The expected place for SRV records for realm BAR.EXAMPLE.COM would be in the DNS under domain bar.example.com. So I'm thinking that "--domain bar.example.com" is the right thing - and can't think why you'd ever want to do anything else.



Then use bar.example.com, IPA servers can have names outside the IPA domain name space.

Different people wants different things, that's why the option is there.


(2) I'm trying to work out how --domain, --realm, --server and systemhostname influence each other, if one or more is not provided.

For ipa-server-install, testing suggests:

* --domain defaults to the domain part of the system hostname
* --realm defaults to the uppercased --domain
* (--server is obviously itself :-)

For ipa-client-install it seems a bit more complex. Based on the manpage, I believe the sequence is something like this:

* If --domain is not specified, then it's the domain from the system hostname * If --server is not specified, then it hunts for servers based on the --domain (looking in that domain and its parents until suitable SRV records are found) * If --realm is not specified, then it sends a query to the --server(s) to ask what realm they are in

But the manpage says you can specify both --server and --domain:

"Client machine can also be configured without a DNS autodiscovery at all. When both --server and --domain options are used, client installer will use the specified server
       and  domain  directly."

Server and client can be in different DNS domains, that's probably why it has separate options.

I know that it is not clear how client determine domain and server, but there were more important things to fix, this may be improved in future.



In that case, I can't see what the --domain is used for here, if it's only purpose is to locate servers (and you've already told it which --server to use)

Thanks,

Brian.


Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to