On 22/12/2016 20:53, Martin Basti wrote:
(1) This introduces a concept of an "IPA Primary Domain". Is that
just the DNS domain which holds the SRV records which point to the
realm's kerberos/ldap servers, or does it have any other function? In
other words, what other effects would there be from choosing a
different IP Primary Domain?
it holds SRV records, A/AAAA records for CA
LDAP tree is constructed from the domain (cn=accounts,dc=example,dc=com)
No, I don't believe that's true: the LDAP tree is constructed from the
*realm* not the *domain*.
I just checked this by creating a Centos7 lxd container with hostname
"ipa.foo.example.com", running the following command:
# ipa-server-install --domain bar.example.com --realm QUX.EXAMPLE.COM
--setup-dns -p Abcd1234 -a Defg5678
and accepting defaults for everything else. What I get is:
*** an LDAP tree rooted at dc=qux,dc=example,dc=com
=> this proves the LDAP tree is constructed from the --realm, not the
--domain.
*** the DNS zone "bar.example.com" (in addition to the reverse zone)
The bar.example.com contains both types of DNS mapping: hostname to
realm and realm to servers.
(1) _kerberos TXT "QUX.EXAMPLE.COM"
i.e. "hosts with hostnames under domain bar.example.com belong to realm
QUX.EXAMPLE.COM"
(2) _kerberos._tcp SRV 0 100 88 ipatest.foo.example.com. # plus
_kerberos._ldap etc
=> this shows the SRV records are put under the --domain
*** in krb5.conf a default realm of QUX.EXAMPLE.COM, and the following
realm to server mapping:
[realms]
QUX.EXAMPLE.COM = {
kdc = ipatest.foo.example.com:88
master_kdc = ipatest.foo.example.com:88
admin_server = ipatest.foo.example.com:749
default_domain = bar.example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
Aha: there is "default_domain" in there! It's a property of the realm!
Checking the MIT kerberos documentation:
http://web.mit.edu/kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.html
"default_domain
This tag specifies the domain used to expand hostnames when translating
Kerberos 4 service principals to Kerberos 5 principals (for example,
when converting rcmd.hostname to host/hostname.domain)."
So it seems that's only a legacy setting for dealing with kerberos 4 :-(
*** /etc/sssd/sssd.conf
[domain/bar.example.com]
krb5_realm = QUX.EXAMPLE.COM
ipa_domain = bar.example.com
[sssd]
domains = bar.example.com
But in sssd, "A domain is a database containing user information" - from
sssd.conf(5). So really it's just a label for a group of settings,
nothing to do with a DNS domain.
*** CA
grepping through /etc I see some other settings based on the domain, in
particular the CA hostname is here:
/etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp
However the installation process didn't actually create this DNS entry,
so the ipa-ca hostname is not resolvable. Since it has the
bar.example.com master zone, maybe it should add this record?
*** During the installation I get a reasonable warning:
WARNING: Realm name does not match the domain name.
You will not be able to estabilish trusts with Active Directory unless
the realm name of the IPA server matches its domain name.
But I think this also highlights confusion between "the IPA domain" and
"the server's domain name".
It's clear is that the *realm* is something that's common to all the IPA
servers. However it's also clear that each IPA server's *hostname* can
be in a different *domain*, e.g. they could be
srv1.bar.com
srv2.baz.com
But "the IPA primary domain" (where the SRV records are stored) is an
attribute of the realm collectively, not of the individual servers. So
it might be clearer if it said:
WARNING: Realm name does not match the domain name.
You will not be able to establish trusts with Active Directory unless
the IPA realm matches the IPA primary domain.
Then use bar.example.com, IPA servers can have names outside the IPA
domain name space.
Different people wants different things, that's why the option is there.
Indeed, but the "--domain" option to ipa-server-install appears to be
orthogonal to the domain name of the IPA servers themselves. This is a
primary source of confusion I think.
Regards,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project