Dredging up an old thread here... On 05/02/2018 08:25 PM, Tyrell Jentink wrote:
I'm using FreeIPA here at home; As a product, it's really just a bunch of scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; It aims to be a complete identity management system, a product designed to compete with (Or at the very least, perform an analogous set of tasks to) ActiveDirectory. It is completely open source, developed by Red Hat, for Fedora, and I use it on CentOS, but it is available for a number of other distros.
If you (Tyrell) have the time, could you please describe whether you are using the BIND part of FreeIPA, and if so, the DNS architecture of your home network? I've been struggling to come up to speed on this.
I use openwrt as a router on my home network. dnsmasq is enabled, and all of my internal machines have host.example.com names. If dnsmasq doesn't recognize a name, it forwards the lookup upstream to the real dns host for my domain. Given this setup, I tried several naming schemes for my ipa server. With some setups the ipa-server-install failed early. With others, the server install would basically work, but then in the client portion it would try to send DNS updates to the upstream DNS host. These updates fail because my upstream DNS host isn't configured to expect updates. My understanding is that these updates shouldn't be going to this host anyway.
What finally worked for me was to create a separate subdomain. I named my ipa server ipa-1.ipa.example.com, and my ipa domain ipa.example.com (with the Kerberos realm named IPA.SEITZASSOC.COM). I had to add a server option in dnsmasq on my openwrt box to tell it to forward lookups in the ipa.example.com domain to my ipa server.
Note that example.com is just an example. I was using my actual domain name above.
thanks, galen -- Galen Seitz gal...@seitzassoc.com _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
