On 22.12.2016 17:53, Brian Candler wrote:
On 20/12/2016 08:07, Petr Spacek wrote:
I've tried to clarify things in man pages and on web as well. Please
have a
look to changes and let us know if it is better or not, and
preferably what
can be improved and in which way
The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations
Man page changes and changes in description of installer options are
here:
https://github.com/freeipa/freeipa/pull/352
Thank you for working on this.
This is getting clearer, but I would like to expand a little more.
(1) This introduces a concept of an "IPA Primary Domain". Is that
just the DNS domain which holds the SRV records which point to the
realm's kerberos/ldap servers, or does it have any other function? In
other words, what other effects would there be from choosing a
different IP Primary Domain?
it holds SRV records, A/AAAA records for CA
LDAP tree is constructed from the domain (cn=accounts,dc=example,dc=com)
Let me give a specific example.
- IPA server hostname is ipa.foo.example.com
- I want to create kerberos realm BAR.EXAMPLE.COM
Which IPA primary domain should I choose?
The expected place for SRV records for realm BAR.EXAMPLE.COM would be
in the DNS under domain bar.example.com. So I'm thinking that
"--domain bar.example.com" is the right thing - and can't think why
you'd ever want to do anything else.
Then use bar.example.com, IPA servers can have names outside the IPA
domain name space.
Different people wants different things, that's why the option is there.
(2) I'm trying to work out how --domain, --realm, --server and
systemhostname influence each other, if one or more is not provided.
For ipa-server-install, testing suggests:
* --domain defaults to the domain part of the system hostname
* --realm defaults to the uppercased --domain
* (--server is obviously itself :-)
For ipa-client-install it seems a bit more complex. Based on the
manpage, I believe the sequence is something like this:
* If --domain is not specified, then it's the domain from the system
hostname
* If --server is not specified, then it hunts for servers based on the
--domain (looking in that domain and its parents until suitable SRV
records are found)
* If --realm is not specified, then it sends a query to the
--server(s) to ask what realm they are in
But the manpage says you can specify both --server and --domain:
"Client machine can also be configured without a DNS
autodiscovery at all. When both
--server and --domain options are used, client installer will
use the specified server
and domain directly."
Server and client can be in different DNS domains, that's probably why
it has separate options.
I know that it is not clear how client determine domain and server, but
there were more important things to fix, this may be improved in future.
In that case, I can't see what the --domain is used for here, if it's
only purpose is to locate servers (and you've already told it which
--server to use)
Thanks,
Brian.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
