Re: [Freeipa-users] need info on AD / IPA coexistence
On 03/08/2012 01:40 PM, Sylvain Angers wrote: Does anyone was successful to hook their HP ilo, RHEV manager to IPA? I've connected IPA to the RHEV manager, yes. It works fine. However it seem to require lookup up dns srv records to find the IPA servers, so I don't think it works unless you have your own DNS domain for IPA. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
2012/3/8 Brian Cook bc...@redhat.com Also, I would not use 'delegation record' from AD, use conditional forwarding for *.unix.abcd.ca. Your AD admins should know how to do it. --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Mar 8, 2012, at 9:04 AM, Simo Sorce wrote: On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote: Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? the ip address of your ipa server, they will know what questions to ask :) Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? It does, the IPa server DNS domain is what matters for the first master. So it should be name.unix.abcd.ca So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use the standard configuration). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hello Still have same issue unable to find 'admin' user with 'getent passwd admin'! I redid both client and servers, no selinux,no firewall Our dns teams did set soa unix.cnppd.lab to point to my ipa server I had to put a manual entry in /etc/hosts 165.115.118.21 mtl-ipa01d.unix.cnppd.lab mtl-ipa01d then did set my ipa server with the following *ipa-server-install -a xxx --hostname=mtl-ipa01d.unix.cnppd.lab -n unix.cnppd.lab -p x -r UNIX.CNPPD.LAB --setup-dns --forwarder=165.115.52.21--fowarder=165.115.51.21* Server host name [mtl-ipa01d.unix.cnppd.lab]: Warning: skipping DNS resolution of host mtl-ipa01d.unix.cnppd.lab The IPA Master Server will be configured with Hostname:mtl-ipa01d.unix.cnppd.lab IP address: 165.115.118.21 Domain name: unix.cnppd.lab Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [118.115.165.in-addr.arpa.]: Using reverse zone 118.115.165.in-addr.arpa. Restarting the directory server Restarting the KDC Restarting the web server Configuring named: [1/9]: adding DNS container [2/9]: setting up our zone [3/9]: setting up reverse zone [4/9]: setting up our own record [5/9]: setting up kerberos principal [6/9]: setting up named.conf [7/9]: restarting named [8/9]: configuring named to start on boot [9/9]: changing resolv.conf to point to ourselves done configuring named. == Setup complete I did set my client with [root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir Discovery was successful! Hostname: mtl-vdi01d.cn.ca Realm: UNIX.CNPPD.LAB DNS Domain: UNIX.CNPPD.LAB IPA Server: mtl-ipa01d.unix.cnppd.lab BaseDN: dc=unix,dc=cnppd,dc=lab Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@unix.cnppd.lab: Enrolled in IPA realm UNIX.CNPPD.LAB Created /etc/ipa/default.conf Configured[root@mtl-vdi01d ~]# ipa-client-install --server=mtl-ipa01d.unix.cnppd.lab --domain=UNIX.CNPPD.LAB --realm=UNIX.CNPPD.LAB --mkhomedir Discovery was successful! Hostname: mtl-vdi01d.cn.ca Realm: UNIX.CNPPD.LAB DNS Domain: UNIX.CNPPD.LAB IPA Server: mtl-ipa01d.unix.cnppd.lab BaseDN: dc=unix,dc=cnppd,dc=lab Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@unix.cnppd.lab: Enrolled in IPA realm UNIX.CNPPD.LAB Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX.CNPPD.LAB SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. you can see that ipa did enroll my client [root@mtl-ipa01d ~]# ipa host-find --- 2 hosts matched --- Host name: mtl-ipa01d.unix.cnppd.lab Principal name: host/mtl-ipa01d.unix.cnppd@unix.cnppd.lab Keytab: True Password: False Managed by: mtl-ipa01d.unix.cnppd.lab Host name: mtl-vdi01d.cn.ca Certificate:
Re: [Freeipa-users] need info on AD / IPA coexistence
is abcd.ca your windows domain ? yes in this example ipa-server-install -a xx \ --hostname=ipa1.unix.abcd.ca \ -n unix.abcd.ca \ -p xxx \ -r UNIX.ABCD.CA http://unix.abcd.ca/ \ --subject=subject_DN \ #Sets the base element for the subject DN of the issued certificates. This defaults to O=realm. --forwarder=ad_dns.abcd.ca \ --no-reverse\ # Does not create a reverse DNS zone when the DNS domain is set up. --setup-dns \ --idmax=number \ #???Sets the upper bound for IDs which can be assigned by the IPA server. The default value is the ID start value plus 19. --idstart=1 # will have to check with AD I guess IPA server will become unix master DNS for UNIX current unix server fqdn will remain on abcd.ca current unix server will have dns,ntp,kdc,ldap from ipa realm will be equal to domain name = unix.abcd.ca When I will have resolve getent passwd admin issue I believe I will be able to su - admin on any unix server and will be able to start thinking about what next like winsync then create ipa slave = ipa2.unix.abcd.ca Define SRV in bind unix.abcd.ca test all our supported Unix platform, especially AIX, Does anyone was successful to hook their HP ilo, RHEV manager to IPA? Will have to convince many people to achieve this set-up, but I am sure it worth it! Thank you! you guys Rock! Sylvain 2012/3/8 Ondrej Valousek ondr...@s3group.cz ** Side note: You can manage AD integrated DNS from unix host easily with just 'nsupdate -g' - so theoretically (ok I undestand you have to have a proper Kerberos TGT...) IPA client could be able to autoconfigure (create all the necessary SRV records) AD DNS, too. Not sure if we even wanted that. but theoretically, it should be possible. Ondrej On 03/07/2012 08:11 PM, Simo Sorce wrote: On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote: Hello All, We are facing the same difficulties here with coexistence with Microsoft AD on the same network Whenever I run ipa-client-install # ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX DNS domain 'unix' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.abcd.ca Realm: UNIX DNS Domain: abcd.ca IPA Server: server.abcd.ca BaseDN: dc=unix is abcd.ca your windows domain ? although we support specifying a realm that is not identical to the DNS domain I strongly suggest you do not do so if you do not want to experience some trouble and to assing to your UNIX domain it's own DNS domain that matches the realm. If you do not do that things can still work, but not w/o some minor annoyances. For example discovery will fail as you find out because the DNS domain is owned by the AD realm. You also have to make sure you properly map realms to domains correctly in various clients. Simo. -- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18 -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress Thanks -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce s...@redhat.com On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
On Thu, 2012-03-08 at 11:54 -0500, Sylvain Angers wrote: Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? the ip address of your ipa server, they will know what questions to ask :) Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? It does, the IPa server DNS domain is what matters for the first master. So it should be name.unix.abcd.ca So that DNS domain = unix.abcd.ca and realm = UNIX.ABCD.CA (if you use the standard configuration). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
If your AD realm is ABCD.CA and you want your unix realm to be UNIX.ABCD.CA then your FQDN should be ipaserver.unix.abcd.ca When you delegate the zone from AD, you should have at least two IPA servers running bind listed. ipaserver1.unix.abcd.ad ipaserver2.unix.abcd.ad That way if one is down, you can still resolve names. --- Brian Cook Solutions Architect, Red Hat, Inc. 407-212-7079 On Mar 8, 2012, at 8:54 AM, Sylvain Angers wrote: Alright! I am now requesting to our DNS team please delegate dns zone unix.abcd.ca to ??? Question: is the ipa server fqdn, be ipaserver.unix.abcd.ca or ipaserver.abcd.ca? does it matter? thanks 2012/3/8 Simo Sorce s...@redhat.com On Thu, 2012-03-08 at 09:46 -0500, Sylvain Angers wrote: Hi Again Our current Linux/AIX servers fqdn should remain on abcd.ca domain I need an advice: Should the ipa server fqdn be ipa.abcd.ca or ipa.unix.abcd.ca? You can have machines on a different DNS domain with FreeIPA. So you can use unix.abcd.ca for your IPA server and still install clients in abcd.ca. I think the onlt thing you should take care of is to make sure a abcd.ca - UNIX.ABCD.CA mapping in krb5.conf under the [domain_realm] section is available on all machines of the domain to avoid issues resolving the correct realm for clients in the other domain. On clients this should be autometed in the very last release but the ipa server needs to be configured after install. and on the Linux/AIX server, should we add entry of both dns (ipa and Microsoft AD) in resolv.conf? No, that would not work. What you should do is ask your DNS admin to delegate you the unix.abcd.ca zone. Once that is done it doesn't matter which DNS you are querying they will know who to ask. If delegation is not possible you could still use named forwarders in both IPA and AD so that each DNS server still know where to forward requests for the specific domain. This again will allow you to use whatever DNS your network uses and have queries properly forwarded around. domain unix.abcd.ca search unix.abcd.ca abcd.ca nameserver ipa_adress nameserver ad_adress No, don't do this as a way to not configure the DNS servers, it won't work and will cause really confusing mis-behaviors if the DNS servers themselves do not know how to talk to each other. If delegation of zones or forwarding is properly set up though then this scheme would allow you to have a fallback when either infrastructure is temporarily unreachable. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Sylvain Angers ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
2012/2/23 Simo Sorce s...@redhat.com On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? The only problem you may have is that you have to manually set all the SRV and TXT records. It's tedious but nothing heart breaking. Clients will not be able to do DNS updates if the DNS is not managed by IPA. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hello All, We are facing the same difficulties here with coexistence with Microsoft AD on the same network Whenever I run ipa-client-install # ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX DNS domain 'unix' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.abcd.ca Realm: UNIX DNS Domain: abcd.ca IPA Server: server.abcd.ca BaseDN: dc=unix Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@UNIX: Enrolled in IPA realm UNIX Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm UNIX SSSD enabled *Unable to find 'admin' user with 'getent passwd admin'!* Recognized configuration: SSSD NTP enabled Client configuration complete. and when I sniff via wireshark while doing getent passwd admin, I get many time this snipet, with all the Microsoft AD server in the loop 165.115.52.21 = our windows dns server 165.115.40.149 = our ipa client 165.115.40.144 165.115.126.210 = windows AD domain controller 165.115.212.167 = windows AD domain controller 31.784008 165.115.52.21 - 165.115.40.149 DNS Standard query response A 165.115.52.21 31.784308 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 TSV=5217133 TSER=0 WS=7 31.784518 165.115.52.21 - 165.115.40.149 TCP ldap 37236 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 31.784538 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSV=5217133 TSER=0 31.784873 165.115.40.149 - 165.115.52.21 LDAP searchRequest(1) ROOT baseObject 31.785487 165.115.52.21 - 165.115.40.149 TCP [TCP segment of a reassembled PDU] 31.785505 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [ACK] Seq=229 Ack=1449 Win=17536 Len=0 TSV=5217134 TSER=13371643 31.785522 165.115.52.21 - 165.115.40.149 LDAP searchResEntry(1) ROOT 31.785531 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [ACK] Seq=229 Ack=2314 Win=20480 Len=0 TSV=5217134 TSER=13371643 31.786016 165.115.40.149 - 165.115.52.21 DNS Standard query A jac-rg-i01.cn.ca 31.786301 165.115.52.21 - 165.115.40.149 DNS Standard query response A 165.115.126.210 31.790918 165.115.40.149 - 165.115.126.210 KRB5 AS-REQ 31.826597 165.115.126.210 - 165.115.40.149 KRB5 KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN 31.827485 165.115.40.149 - 165.115.52.21 LDAP unbindRequest(2) 31.827518 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [FIN, ACK] Seq=236 Ack=2314 Win=20480 Len=0 TSV=5217176 TSER=13371643 31.827763 165.115.52.21 - 165.115.40.149 TCP ldap 37236 [ACK] Seq=2314 Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176 31.827786 165.115.52.21 - 165.115.40.149 TCP ldap 37236 [FIN, ACK] Seq=2314 Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176 31.827795 165.115.40.149 - 165.115.52.21 TCP 37236 ldap [ACK] Seq=237 Ack=2315 Win=20480 Len=0 TSV=5217177 TSER=13371643 31.827856 165.115.40.149 - 165.115.52.21 DNS Standard query A gnp-yd-i01.cn.ca 31.828112 165.115.52.21 - 165.115.40.149 DNS Standard query response A 165.115.207.219 31.828393 165.115.40.149 - 165.115.207.219 TCP 56123 ldap [SYN] Seq=0 Win=14600 Len=0 MSS=1460 TSV=5217177 TSER=0 WS=7 31.860256 165.115.207.219 - 165.115.40.149 TCP ldap 56123 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1360 WS=0 TSV=0 TSER=0 31.860313 165.115.40.149 - 165.115.207.219 TCP 56123 ldap [ACK] Seq=1 Ack=1 Win=14720 Len=0 TSV=5217209 TSER=0 31.860488 165.115.40.149 - 165.115.207.219 LDAP searchRequest(1) ROOT baseObject 31.901748 165.115.207.219 - 165.115.40.149 TCP [TCP segment of a reassembled PDU] 31.901767 165.115.40.149 - 165.115.207.219 TCP 56123 ldap [ACK] Seq=229 Ack=1349 Win=17536 Len=0 TSV=5217251 TSER=15563619 31.907040 165.115.207.219 - 165.115.40.149 LDAP searchResEntry(1) ROOT 31.907054 165.115.40.149 - 165.115.207.219 TCP 56123 ldap [ACK] Seq=229 Ack=2314 Win=20224 Len=0 TSV=5217256 TSER=15563619 31.907540 165.115.40.149 - 165.115.52.21 DNS Standard query A
Re: [Freeipa-users] need info on AD / IPA coexistence
On Wed, 2012-03-07 at 13:38 -0500, Sylvain Angers wrote: Hello All, We are facing the same difficulties here with coexistence with Microsoft AD on the same network Whenever I run ipa-client-install # ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX DNS domain 'unix' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.abcd.ca Realm: UNIX DNS Domain: abcd.ca IPA Server: server.abcd.ca BaseDN: dc=unix is abcd.ca your windows domain ? although we support specifying a realm that is not identical to the DNS domain I strongly suggest you do not do so if you do not want to experience some trouble and to assing to your UNIX domain it's own DNS domain that matches the realm. If you do not do that things can still work, but not w/o some minor annoyances. For example discovery will fail as you find out because the DNS domain is owned by the AD realm. You also have to make sure you properly map realms to domains correctly in various clients. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
Hi, Well I can give you how I think this works, but I stand to be corrected... So, there is auto-discovery for kerberos going on via DNS, but AD's DNS already has such kerberos for its services, so a Linux client is going to try and do this, but its going to get AD results and not IPA results, so fail, so you have to be specific in commands, For instance on install with IPA DNS I can type, ip-client-install --mkhomdir and it figures out the DNS entries of the IPA server(s) and picks one to join via If you cant do this as you are using AD's DNS then you have to specify the server and domain I think this might also impact load balancing across IPA' LDAP/kerberos servers, so if you have hard coded the KDC the client wont use dns to pick one of the others (assuming you have any). I assume that any dis-advantage AD suffers from not having its own integrated DNS will also apply to IPA, from my limited reading this seems to be the case. With joining a Linux client to IPA with its own DNS, dns also gets updated.if you are using an AD DNS then that is a manual process? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 3:12 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
I think we are doing the same thing here, seemed to have arrived at the same conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers a master DNS for group.example.com. All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux -- AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
We use the group.example.com as the primary domain name, even for windows clients. So a typical windows pc has: ip: 192.168.0.100 dns1: linux-dns-server1 dns2: linux-dns-server2 search: group.example.com That way the windows pcs only use their melb.example.com domain for authentication and then switch back to group.example.com to communicate with other hosts on the network. Anyaywaz, this is just how I worked it out, there must be a better way out there... cya Craig On Fri, Feb 24, 2012 at 02:44:59AM +, Steven Jones wrote: I think we are doing the same thing here, seemed to have arrived at the same conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers a master DNS for group.example.com. All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux -- AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa