On 22/12/2016 20:53, Martin Basti wrote:

(1) This introduces a concept of an "IPA Primary Domain". Is that just the DNS domain which holds the SRV records which point to the realm's kerberos/ldap servers, or does it have any other function? In other words, what other effects would there be from choosing a different IP Primary Domain?

it holds SRV records, A/AAAA records for CA

LDAP tree is constructed from the domain (cn=accounts,dc=example,dc=com)

No, I don't believe that's true: the LDAP tree is constructed from the *realm* not the *domain*.

I just checked this by creating a Centos7 lxd container with hostname "ipa.foo.example.com", running the following command:

# ipa-server-install --domain bar.example.com --realm QUX.EXAMPLE.COM --setup-dns -p Abcd1234 -a Defg5678

and accepting defaults for everything else. What I get is:

*** an LDAP tree rooted at dc=qux,dc=example,dc=com

=> this proves the LDAP tree is constructed from the --realm, not the --domain.

*** the DNS zone "bar.example.com" (in addition to the reverse zone)

The bar.example.com contains both types of DNS mapping: hostname to realm and realm to servers.

(1) _kerberos TXT "QUX.EXAMPLE.COM"

i.e. "hosts with hostnames under domain bar.example.com belong to realm QUX.EXAMPLE.COM"

(2) _kerberos._tcp SRV 0 100 88 ipatest.foo.example.com. # plus _kerberos._ldap etc

=> this shows the SRV records are put under the --domain

*** in krb5.conf a default realm of QUX.EXAMPLE.COM, and the following realm to server mapping:

  kdc = ipatest.foo.example.com:88
  master_kdc = ipatest.foo.example.com:88
  admin_server = ipatest.foo.example.com:749
  default_domain = bar.example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt

Aha: there is "default_domain" in there! It's a property of the realm! Checking the MIT kerberos documentation:



This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting rcmd.hostname to host/hostname.domain)."

So it seems that's only a legacy setting for dealing with kerberos 4 :-(

*** /etc/sssd/sssd.conf

krb5_realm = QUX.EXAMPLE.COM
ipa_domain = bar.example.com

domains = bar.example.com

But in sssd, "A domain is a database containing user information" - from sssd.conf(5). So really it's just a label for a group of settings, nothing to do with a DNS domain.

*** CA

grepping through /etc I see some other settings based on the domain, in particular the CA hostname is here:


However the installation process didn't actually create this DNS entry, so the ipa-ca hostname is not resolvable. Since it has the bar.example.com master zone, maybe it should add this record?

*** During the installation I get a reasonable warning:

    WARNING: Realm name does not match the domain name.
    You will not be able to estabilish trusts with Active Directory unless
    the realm name of the IPA server matches its domain name.

But I think this also highlights confusion between "the IPA domain" and "the server's domain name".

It's clear is that the *realm* is something that's common to all the IPA servers. However it's also clear that each IPA server's *hostname* can be in a different *domain*, e.g. they could be


But "the IPA primary domain" (where the SRV records are stored) is an attribute of the realm collectively, not of the individual servers. So it might be clearer if it said:

    WARNING: Realm name does not match the domain name.
    You will not be able to establish trusts with Active Directory unless
    the IPA realm matches the IPA primary domain.

Then use bar.example.com, IPA servers can have names outside the IPA domain name space.

Different people wants different things, that's why the option is there.

Indeed, but the "--domain" option to ipa-server-install appears to be orthogonal to the domain name of the IPA servers themselves. This is a primary source of confusion I think.



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to