Re: [Freeipa-users] Host aliases in freeipa
On 27/02/15 20:04, Simo Sorce wrote: On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Is the problem that you cannot add entries to the corporate DNS server ? It is recommended to have a delegation or at least forwarding between name servers to avoid headaches. Simo. Simo Thanks for your response. We do have delegated access to update to the DNS for our domain and also run a couple of name servers ourselves. The problem is really my ignorance of what any issues might be with having ipa manage more name servers in our domain which contains many hosts that will not ipa managed. We already have a DNS infrastructure and I have seen the Benefits of integrated DNS section at http://www.freeipa.org/page/DNS. With regard to each bullet point number, my comments and queries are: 1) Our clients will have static addresses so this doesn't seem relevant in our case. 2) In my current testing setup we don't have SRV records because DNS is not managed by ipa and ipa seems to work ok. I guess we will need to add SRV records to our DNS manually when we bring on line some ipa server replicas, so there could be a win here although I wouldn't anticipate the replicas changing much, so maybe this is a one-off manual setup without ipa managing DNS. Did I understand this correctly? 3) We do not have any AD to trust, at least for the forseeable future so this does not seem relevant in our sitution. 4) I'm not sure about this one. Things seem to work at the moment. Is this again about managing the records more easily when we bring on line replica servers? Thanks for any clarification or pointers to docs or discussion that you can offer. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On 2.3.2015 13:29, Roderick Johnstone wrote: On 27/02/15 20:04, Simo Sorce wrote: On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Is the problem that you cannot add entries to the corporate DNS server ? It is recommended to have a delegation or at least forwarding between name servers to avoid headaches. Simo. Simo Thanks for your response. We do have delegated access to update to the DNS for our domain and also run a couple of name servers ourselves. The problem is really my ignorance of what any issues might be with having ipa manage more name servers in our domain which contains many hosts that will not ipa managed. We already have a DNS infrastructure and I have seen the Benefits of integrated DNS section at http://www.freeipa.org/page/DNS. With regard to each bullet point number, my comments and queries are: 1) Our clients will have static addresses so this doesn't seem relevant in our case. 2) In my current testing setup we don't have SRV records because DNS is not managed by ipa and ipa seems to work ok. I guess we will need to add SRV records to our DNS manually when we bring on line some ipa server replicas, so there could be a win here although I wouldn't anticipate the replicas changing much, so maybe this is a one-off manual setup without ipa managing DNS. Did I understand this correctly? Well, SRV records should be *always* present. It is possible to make it work without them (as you did) but AFAIK such setup not tested by us and is not supported (in RHEL). Also, by manual configuration you are losing things like failover between replicas / ability to add-remove replicas at will without client reconfiguration. Please note that you can add SRV records to your DNS servers without any need to introduce IPA DNS servers. 3) We do not have any AD to trust, at least for the forseeable future so this does not seem relevant in our sitution. 4) I'm not sure about this one. Things seem to work at the moment. Is this again about managing the records more easily when we bring on line replica servers? Yes. IPA DNS servers bring convenience but it is not mandatory in any way (especially if you do not want to use dynamic updates). Thanks for any clarification or pointers to docs or discussion that you can offer. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On Mon, 2015-03-02 at 12:29 +, Roderick Johnstone wrote: On 27/02/15 20:04, Simo Sorce wrote: On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Is the problem that you cannot add entries to the corporate DNS server ? It is recommended to have a delegation or at least forwarding between name servers to avoid headaches. Simo. Simo Thanks for your response. We do have delegated access to update to the DNS for our domain and also run a couple of name servers ourselves. The problem is really my ignorance of what any issues might be with having ipa manage more name servers in our domain which contains many hosts that will not ipa managed. We already have a DNS infrastructure and I have seen the Benefits of integrated DNS section at http://www.freeipa.org/page/DNS. With regard to each bullet point number, my comments and queries are: 1) Our clients will have static addresses so this doesn't seem relevant in our case. Ok, that means you do not expect to need DNS Updates, and I guess you'll provide DNS entries before the machines are joined to IPA. That works. 2) In my current testing setup we don't have SRV records because DNS is not managed by ipa and ipa seems to work ok. I guess we will need to add SRV records to our DNS manually when we bring on line some ipa server replicas, so there could be a win here although I wouldn't anticipate the replicas changing much, so maybe this is a one-off manual setup without ipa managing DNS. Did I understand this correctly? W/o SRV records you probably had to specify the server manually on the ipa-client-install command, this means your machines are already tied to that specific server. So you'll have to also apply modifications to the machien's sssd.conf file to allow them to find fallback replicas. 3) We do not have any AD to trust, at least for the forseeable future so this does not seem relevant in our sitution. ok, we just make sure people are aware that their choice of DNS domain name affects potentially interesting scenarios down the road. 4) I'm not sure about this one. Things seem to work at the moment. Is this again about managing the records more easily when we bring on line replica servers? It is only about ease of use indeed, if you manage your servers manually, and keep them properly up to date, all should be fine. Thanks for any clarification or pointers to docs or discussion that you can offer. You are welcome, thanks for using FreeIPA Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On 27.2.2015 21:04, Simo Sorce wrote: On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Is the problem that you cannot add entries to the corporate DNS server ? It is recommended to have a delegation or at least forwarding between name servers to avoid headaches. Let me clarify it: FreeIPA can manage DNS for you, which is easy thing to do if your corporate policy allows that. start with $ ipa-dns-install and then add NS and glue records to the parent zones to have proper delegation to FreeIPA DNS servers. DNS auto-management makes adding hosts and replicas easier but it is not required in any way. If you do not want to manage DNS in FreeIPA you do no have to. For aliases, ask your DNS admin to use CNAME records to create aliases for the canonical host name (used in ipa host-add command). Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Thanks Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Host aliases in freeipa
On Fri, 2015-02-27 at 18:59 +, Roderick Johnstone wrote: On 27/02/15 18:33, Simo Sorce wrote: On Fri, 2015-02-27 at 18:19 +, Roderick Johnstone wrote: Hi I'm trying to migrate of my NIS databases to freeipa and have got to the hosts database. In NIS a typical entry is: ipaddress canonical_name [aliases...] but I don't see how to enter the ipaddress or aliases using the ipa host-* commands. Is that possible? Maybe this is supposed to be done with the ipa dns commands, but I don't want freeipa to control the dns as we have an existing external dns infrastructure to fit into. How should I configure freeipa to do host lookups for aliases like NIS does? While NIS supports hosts maps, FreeIPA strongly encourages the use of DNS, as such we do not have direct means of providing or querying hosts maps. Simo. ok so I have to see how we can run the freeipa servers as dns servers alongside the corporate servers for our domain. I'm not sure how to proceed since I've no idea what the issues could be. Can you give me any hints or point to any docs? Is the problem that you cannot add entries to the corporate DNS server ? It is recommended to have a delegation or at least forwarding between name servers to avoid headaches. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
