On ma, 17 kesä 2019, Christian Reiss via FreeIPA-users wrote:
Ahh... okay.
Assumption: We can throw all the servers and keytabs overboard and start
afresh. No restrictions, everyone can get new credentials.
Assumption: We are free to pick domain or a subdomain under the current
domain.
Ahh... okay.
Assumption: We can throw all the servers and keytabs overboard and start
afresh. No restrictions, everyone can get new credentials.
Assumption: We are free to pick domain or a subdomain under the current
domain.
Assumption: No AD trust required.
Requirement: ldap lookups must
Ah, that was good to know, you’re converting a plain LDAP + Kerberos setup to
IPA with integrated LDAP, integrated Kerberos and integrated DNS.
What’s important to know is that you cannot really cleanly convert that as the
Kerberos tabs will have to be updated. With such a change, updating the
On ma, 17 kesä 2019, Christian Reiss via FreeIPA-users wrote:
Hey John,
Awesome response :)
But I am not setting any dns records by hand. I did it *prior* to
FreeIPA. We are using naked Kerberos and ldap as-is. So thats where the
DNS RR are coming from.
Does "Dont run IPA on a domain thats in
Hey John,
Awesome response :)
But I am not setting any dns records by hand. I did it *prior* to
FreeIPA. We are using naked Kerberos and ldap as-is. So thats where the
DNS RR are coming from.
Does "Dont run IPA on a domain thats in use" mean "entire domain" or
"Subdomain is OK"?
kdcproxy..
In that case, you’re doing it wrong ;-)
Don’t manually make DNS records, it’s not needed unless you disable the built
in DNS server in IPA. Also, don’t try to run IPA on a domain that’s in use for
something else. Keeping it simple and ’standard’ will help you a ton here.
For example, if you
Hey John,
thanks again for a detailed information. I do understand this, but maybe
I am overthinking it. The current setup (non IPA) is:
company.com Domain name,
Using kerberos on kerberos.company.com.
SRV & TXT Records all point to kerberos.company.com.
All user prinicipals are
What you are trying to do is possible but not recommended. If you make a
distinction between what you want your users to ’see’ and what your domain
technically should be you can probably resolve it.
For IPA, it’s important that the domain for the built in DNS server is not
used. That means: do
Hey John,
Thanks for a speedy reply! Sure helped a lot understanding, tho a pity
that some clients simply require a "a/cname" and do not look up any srv,
like pfsense. And your reverse proxy idea is neat.
Just one issue, either technical or lack of understanding:
So I went ahead for the domain
A HA-aware client would use SRV records to locate the server(s) and then
connect every returned instance until a working server is found. And by using
locations you can scope the servers you get back.
Regarding the single URL: while there are many options, we decided to simply
register all
10 matches
Mail list logo
