Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-24 Thread Martin Basti 

Adding freeipa-users back to loop


On 24.02.2017 12:02, Iulian Roman wrote:
On Thu, Feb 23, 2017 at 4:21 PM, Martin Basti > wrote:


Hello,

comments inline


On 23.02.2017 15:07, Iulian Roman wrote:

Despite reading the freeipa and Redhat IdM documentation
regarding the DNS , it is still unclear to me if and when is
integrated DNS mandatory .  We do have an environment with a
pretty complex DNS setup , which is in place for years and there
are no  plans to change it.


Integrated DNS is not mandatory at all. Without IPA DNS you have
to manage all IPA system records manually on external DNS



if i understood correctly from the documentation , integrated DNS
is mandatory for configuring AD trust. is that correct ?

No, it is not needed for AD trust, you need to add additional DNS
records



Can the integrated DNS be configured as forward only ? Do the
clients need to have IPA DNS as a resolver or they can just use
existing DNS server ?

You don't need to install IPA DNS.

All records the IPA needs can be received from command `ipa
dns-update-system-records --dry-run` (IPA4.4+)


there are some SRV records (_kerberos, _kpasswd, _ldap, _ntp) reported 
by the above command which would not be easy to add them to existing 
DNS (DNS updates are form based and they allow only A and CNAME 
records). When and by whom are those records used and what is the 
consequence of not adding them  into existing DNS ?




These are mainly used by ipa-clients (SSSD) with dynamic configuration. 
However you may configure client to use static configuration (without 
auto detection of working IPA servers) and it should work. However I'm 
not sure about DNS records required for AD Trust, who is the consumer, 
if only SSSD or not.












Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Matrix 
No, integrated dns is an optional component of ipa,  even for ad integration. 


But without integrated DNS, you have to correctly configure all srv records by 
manual.


Matrix 


-- Original --
From: Iulian Roman <iulian.ro...@gmail.com>
Date: Thu,Feb 23,2017 09:16
To: freeipa-users <freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] integrated DNS vs external DNS-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Martin Basti 

Hello,

comments inline


On 23.02.2017 15:07, Iulian Roman wrote:
Despite reading the freeipa and Redhat IdM documentation regarding the 
DNS , it is still unclear to me if and when is integrated DNS 
mandatory .  We do have an environment with a pretty complex DNS setup 
, which is in place for years and there are no  plans to change it.


Integrated DNS is not mandatory at all. Without IPA DNS you have to 
manage all IPA system records manually on external DNS




if i understood correctly from the documentation , integrated DNS is 
mandatory for configuring AD trust. is that correct ?

No, it is not needed for AD trust, you need to add additional DNS records



Can the integrated DNS be configured as forward only ? Do the clients 
need to have IPA DNS as a resolver or they can just use existing DNS 
server ?

You don't need to install IPA DNS.

All records the IPA needs can be received from command `ipa 
dns-update-system-records --dry-run` (IPA4.4+)









Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] integrated DNS vs external DNS

2017-02-23 Thread Iulian Roman 
Despite reading the freeipa and Redhat IdM documentation regarding the DNS
, it is still unclear to me if and when is integrated DNS mandatory .  We
do have an environment with a pretty complex DNS setup , which is in place
for years and there are no  plans to change it.

if i understood correctly from the documentation , integrated DNS is
mandatory for configuring AD trust. is that correct ?

Can the integrated DNS be configured as forward only ? Do the clients need
to have IPA DNS as a resolver or they can just use existing DNS server ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project