Re: [Freeipa-users] Different domain enrollment
On 12.8.2015 14:20, Dewangga Bachrul Alam wrote: > Hello! > > On 08/11/2015 06:25 PM, Alexander Bokovoy wrote: >> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: > Hello! > > I'm having problem with different hostname with primary domain on ipa > server. For example, my primary domain is mydomain.co.id, and then if > the server hostname using mydomain.co.id, the dns discover was > sucessfully. > > The problem come if the client hostname using different domain, for > example anotherdomain.com, the dns discovery was failed. Is there any > way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. >>> >>> Thanks for your hints, but I have another question after read the man >>> pages. The best practice register client to ipa server is using --domain >>> or add similar DNS record? >> You still would need _kerberos TXT record for runtime Kerberos realm >> detection unless your krb5.conf would contain domain_realms entry for >> your DNS domain. >> >> Using --domain option is, of course, easy. AFAIK adding _kerberos TXT record should make the auto-detection in ipa-client-install functional. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
Hello! On 08/11/2015 06:25 PM, Alexander Bokovoy wrote: > On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >> Hello! >> >> On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: >>> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? >>> Details of autodiscovery and suggestions how to configure are explained >>> in the man page for ipa-client-install, section on DNS autodiscovery. >> >> Thanks for your hints, but I have another question after read the man >> pages. The best practice register client to ipa server is using --domain >> or add similar DNS record? > You still would need _kerberos TXT record for runtime Kerberos realm > detection unless your krb5.conf would contain domain_realms entry for > your DNS domain. > > Using --domain option is, of course, easy. > > Yes, using --domain is very easy. >> I've tried to create new record on anotherdomain.com. (eg. original dns >> record was _ldap._tcp.mydomain.co.id, and IP create new record for >> _ldap._tcp.anotherdomain.com). >> >> New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, >> _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, >> _kerberos-master._udp, _kerberos-master._tcp". >> >> anotherdomain.com $ ipa-client-install >> Discovery was successful! >> Hostname: spectre.anotherdomain.com >> Realm: MYDOMAIN.CO.ID >> DNS Domain: anotherdomain.com >> IPA Server: ipa.anotherdomain.com >> BaseDN: dc=merahciptamedia,dc=co,dc=id >> >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> Unable to sync time with IPA NTP server, assuming the time is in sync. >> Please check that 123 UDP port is opened. >> User authorized to enroll computers: admin >> Password for ad...@merahciptamedia.co.id: >> Unable to download CA cert from LDAP. >> Do you want to download the CA cert from >> http://ipa.anotherdomain.com/ipa/config/ca.crt? >> (this is INSECURE) [no]: >> >> Is it safe? Or just use --domain parameter? > I don't think 'Unable to download CA cert from LDAP' is connected to the > problem you have but you should be able to see what was the issue in > /var/log/ipaclient-install.log. > I think the client can't download the ca cert from LDAP because ca.crt was registered on mydomain.co.id (not anotherdomain.com). For the flexibility and my limited knowledge, it is better to use --domain (for now) :D -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. Thanks for your hints, but I have another question after read the man pages. The best practice register client to ipa server is using --domain or add similar DNS record? You still would need _kerberos TXT record for runtime Kerberos realm detection unless your krb5.conf would contain domain_realms entry for your DNS domain. Using --domain option is, of course, easy. I've tried to create new record on anotherdomain.com. (eg. original dns record was _ldap._tcp.mydomain.co.id, and IP create new record for _ldap._tcp.anotherdomain.com). New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, _kerberos-master._udp, _kerberos-master._tcp". anotherdomain.com $ ipa-client-install Discovery was successful! Hostname: spectre.anotherdomain.com Realm: MYDOMAIN.CO.ID DNS Domain: anotherdomain.com IPA Server: ipa.anotherdomain.com BaseDN: dc=merahciptamedia,dc=co,dc=id Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for ad...@merahciptamedia.co.id: Unable to download CA cert from LDAP. Do you want to download the CA cert from http://ipa.anotherdomain.com/ipa/config/ca.crt? (this is INSECURE) [no]: Is it safe? Or just use --domain parameter? I don't think 'Unable to download CA cert from LDAP' is connected to the problem you have but you should be able to see what was the issue in /var/log/ipaclient-install.log. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
Hello! On 08/11/2015 01:43 PM, Alexander Bokovoy wrote: > On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: >> Hello! >> >> I'm having problem with different hostname with primary domain on ipa >> server. For example, my primary domain is mydomain.co.id, and then if >> the server hostname using mydomain.co.id, the dns discover was >> sucessfully. >> >> The problem come if the client hostname using different domain, for >> example anotherdomain.com, the dns discovery was failed. Is there any >> way to solve it? Should I enter it manually? > Details of autodiscovery and suggestions how to configure are explained > in the man page for ipa-client-install, section on DNS autodiscovery. Thanks for your hints, but I have another question after read the man pages. The best practice register client to ipa server is using --domain or add similar DNS record? I've tried to create new record on anotherdomain.com. (eg. original dns record was _ldap._tcp.mydomain.co.id, and IP create new record for _ldap._tcp.anotherdomain.com). New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp, _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp, _kerberos-master._udp, _kerberos-master._tcp". anotherdomain.com $ ipa-client-install Discovery was successful! Hostname: spectre.anotherdomain.com Realm: MYDOMAIN.CO.ID DNS Domain: anotherdomain.com IPA Server: ipa.anotherdomain.com BaseDN: dc=merahciptamedia,dc=co,dc=id Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. User authorized to enroll computers: admin Password for ad...@merahciptamedia.co.id: Unable to download CA cert from LDAP. Do you want to download the CA cert from http://ipa.anotherdomain.com/ipa/config/ca.crt? (this is INSECURE) [no]: Is it safe? Or just use --domain parameter? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Different domain enrollment
On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote: Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? Details of autodiscovery and suggestions how to configure are explained in the man page for ipa-client-install, section on DNS autodiscovery. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Different domain enrollment
Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project