This is great technical discussion, thanks for keeping it public. Reminds me my journey where implementing SSO/AD/LDAP - the project scope kept expanding beyond my initial expectations.
As per your discussion - this, central, management/authentication needs fully configured, reverse and authoritative DNS domain and NTP. This is part of the host chain of trust/authentication. There is no workaround. Once you get it working though it will become great asset and absolutely worth it; think of access to data, services, etc. Because of the many moving parts, keep detailed notes or better a manifest of your setup. Also, plan for future migration now, when you understand every detail of your setup. Without that - you will find it very, very difficult to migrate/update your setup years from now. I certainly, found my memories and notes insufficient to effectively migrate/update 5 years later. -T On Jun 19, 2018 4:12 PM, "Tyrell Jentink" <[email protected]> wrote: I also didn't answer about DHCP... DHCP and DNS shouldn't have to care about each other, unless IP addresses are likely to change; If they are, you will need a method of updating the DNS records. FreeIPA lets the client update their own records; Windows prefers to deal with it on the server. SO, the "Best Practice" is *probably* to let Windows play DHCP server. That's probably what I will do next. Currently, I'm using the DHCP server in my firewall, which is less-than-ideal for a number of reasons, not the least of which is: Because Windows machines belong to the win.example.com|10.42.2.0 network, and Linux machines belong to the lin.example.com|10.42.1.0 network, all of the leases need static reservations (As an aside, I don't put ALL machines in the domains... Things like phones and Rasperry Pi's are considered "Untrusted," get addresses out of the 10.42.0.0 IP pool, and don't have domain names at all...). Which sucks for onloading a new machine: I have to add the DHCP reservations to the firewall, then add the client to the domain... In two separate interfaces. I suppose if it were all in Windows Server, then it's at least all in the same place... On Tue, Jun 19, 2018, 13:35 Galen Seitz <[email protected]> wrote: > On 06/19/2018 12:33 PM, Tyrell Jentink wrote:> > > The second is FreeIPA, lives at 10.42.1.10 and it serves the > lin.example.com > > subdomain and the 1.42.10.arpa reverse domain. It has a conditional > > forwarder to forward requests under win.example.com to 10.42.2.10 > > Some questions for you: > > What is the FQDN of your ipa server? > > Are you using DHCP for client machines? If so, where is it hosted and > how does it interact with your DNS server? > > > thanks, > galen > -- > Galen Seitz > [email protected] > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
