Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. This is fine. If the alternate domain contain the _kerberos.domain.com DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. On instance with mydomain.com, I've setup and point my DNS to the IPA Server, the DNS Discovery was failed, but if I entered IPA server address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. --- [root@joyoboyo ~]# getent passwd dewangga dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash [root@joyoboyo ~]# uname -a Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux --- Is it normal? Or is there another configuration on krb5.conf? I found something interesting on [domain_realm] section, but before I changes them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. Thanks for any help and comments, this is my first time to configure IPA Server :D Good, I hope you like it :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. This is fine. If the alternate domain contain the _kerberos.domain.com DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. TXT record said like this : $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw .. some content skipped .. $ORIGIN mydomain.com. _kerberos TXT MYDOMAIN.CO.ID joyoboyoA 103.xx.yy.98 liquid A 103.xx.yy.100 Should I changes it? Or leave it as is? On instance with mydomain.com, I've setup and point my DNS to the IPA Server, the DNS Discovery was failed, but if I entered IPA server address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. --- [root@joyoboyo ~]# getent passwd dewangga dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash [root@joyoboyo ~]# uname -a Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux --- Is it normal? Or is there another configuration on krb5.conf? I found something interesting on [domain_realm] section, but before I changes them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. Thanks for any help and comments, this is my first time to configure IPA Server :D Good, I hope you like it :-) And what if I setup replica IPA server, did mydomain.com will be distributed to another replicated IPA server? Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
Yes, of course. I will add NS record to parent zone if my IPA server are ready for production. :D Thanks for any comments and help. Cheers! :) On 05/20/2015 06:02 PM, Petr Spacek wrote: On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: Thanks Martin, Better I leave the configuration as is :D So, If I want to add another domain, I just add and point them to master IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using `ipa dnsrecord-add`. Isn't it? Yes, + you have to add NS record *to the parent zone* so all clients know which servers are responsible for the new domain. Petr^2 Spacek On 05/20/2015 05:42 PM, Martin Kosek wrote: On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. This is fine. If the alternate domain contain the _kerberos.domain.com DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. TXT record said like this : $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw .. some content skipped .. $ORIGIN mydomain.com. _kerberos TXT MYDOMAIN.CO.ID joyoboyo A 103.xx.yy.98 liquid A 103.xx.yy.100 Should I changes it? Or leave it as is? If this is the alternate DNS domain (REALM != DNS domain name), this should be fine and Kerberos client should be able to tell which KDC/realm is responsible for this domain. On instance with mydomain.com, I've setup and point my DNS to the IPA Server, the DNS Discovery was failed, but if I entered IPA server address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. --- [root@joyoboyo ~]# getent passwd dewangga dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash [root@joyoboyo ~]# uname -a Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux --- Is it normal? Or is there another configuration on krb5.conf? I found something interesting on [domain_realm] section, but before I changes them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. Thanks for any help and comments, this is my first time to configure IPA Server :D Good, I hope you like it :-) And what if I setup replica IPA server, did mydomain.com will be distributed to another replicated IPA server? Yup, all IPA data are replicated between masters. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
Thanks Martin, Better I leave the configuration as is :D So, If I want to add another domain, I just add and point them to master IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using `ipa dnsrecord-add`. Isn't it? On 05/20/2015 05:42 PM, Martin Kosek wrote: On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. This is fine. If the alternate domain contain the _kerberos.domain.com DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. TXT record said like this : $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw .. some content skipped .. $ORIGIN mydomain.com. _kerberosTXT MYDOMAIN.CO.ID joyoboyo A 103.xx.yy.98 liquid A 103.xx.yy.100 Should I changes it? Or leave it as is? If this is the alternate DNS domain (REALM != DNS domain name), this should be fine and Kerberos client should be able to tell which KDC/realm is responsible for this domain. On instance with mydomain.com, I've setup and point my DNS to the IPA Server, the DNS Discovery was failed, but if I entered IPA server address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. --- [root@joyoboyo ~]# getent passwd dewangga dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash [root@joyoboyo ~]# uname -a Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux --- Is it normal? Or is there another configuration on krb5.conf? I found something interesting on [domain_realm] section, but before I changes them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. Thanks for any help and comments, this is my first time to configure IPA Server :D Good, I hope you like it :-) And what if I setup replica IPA server, did mydomain.com will be distributed to another replicated IPA server? Yup, all IPA data are replicated between masters. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. This is fine. If the alternate domain contain the _kerberos.domain.com DNS TXT record with the ream, Kerberos client should be able to find the right IPA server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA versions add this record to owned DNS zones automatically. TXT record said like this : $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw .. some content skipped .. $ORIGIN mydomain.com. _kerberos TXT MYDOMAIN.CO.ID joyoboyo A 103.xx.yy.98 liquidA 103.xx.yy.100 Should I changes it? Or leave it as is? If this is the alternate DNS domain (REALM != DNS domain name), this should be fine and Kerberos client should be able to tell which KDC/realm is responsible for this domain. On instance with mydomain.com, I've setup and point my DNS to the IPA Server, the DNS Discovery was failed, but if I entered IPA server address manually, the setup was success. If autodiscovery with hosts in your alternate domain does not work, you can also use just # ipa-client-install --domain main.ipa.domain.com and it should find the IPA server. --- [root@joyoboyo ~]# getent passwd dewangga dewangga:*:94001:94001:Dewangga Alam:/home/dewangga:/bin/bash [root@joyoboyo ~]# uname -a Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux --- Is it normal? Or is there another configuration on krb5.conf? I found something interesting on [domain_realm] section, but before I changes them, better I ask to the mailing list. What I see above looks normal to me. [domain_realm] manual mapping can be used if you have DNS autodiscovery disabled or you miss the DNS TXT record for Kerberos, IIRC. Thanks for any help and comments, this is my first time to configure IPA Server :D Good, I hope you like it :-) And what if I setup replica IPA server, did mydomain.com will be distributed to another replicated IPA server? Yup, all IPA data are replicated between masters. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env
On 05/20/2015 12:56 PM, Dewangga Bachrul Alam wrote: Thanks Martin, Better I leave the configuration as is :D So, If I want to add another domain, I just add and point them to master IPA Server, right? Right, after FreeIPA 3.2 (https://fedorahosted.org/freeipa/ticket/3544), dnszone-add should be enough to generate the DNS record to solve the Kerberos side. And add DNS Zone, A Rec, etc on IPA server by using `ipa dnsrecord-add`. Isn't it? Should be. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
