[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
On pe, 20 maalis 2020, Todd Grayson wrote: Oh, thank you this is our problem set exactly, we might have a dozen of lab.example.com hosts that are REALM1 another dozen lab hosts that are lab.example.com domain but in REALM2 and trying to get cross realm trust working between them. We are using host specific mappings in [domain_realm] to do it. There are even [CAPATH] scenarios that customers throw us where REALMA has trust for REALMB and REALMC has trust for REALMB, and users from REALMB must be trusted by REALMA cluster hosts. Imagine every insane heterogeneous configuration troubleshooting possible. We setup and simulate issues across all 3 using the same lab domains and explicit host mappings in [domain_realm] to keep the kerberos stack straight... But I have one observation, in your blog you state- *Since Microsoft Active Directory implementation does not support per-host Kerberos realm hint, unlike MIT Kerberos or Heimdal, such request from Windows client will always fail. It will be not possible to obtain a service ticket in such situation from Windows machines.However, when both realms trusting each other are MIT Kerberos, their KDCs and clients can be configured for a selective realm discovery.* On Windows desktops/hosts that we are doing integration labs over with mixed KDC implementations, the approach is to use the windows shell command lines of ksetup /addkdc and ksetup /addhosttorealmmap to smooth things with cross realm trust configurations ad-hoc between everything. I have not researched if global policies will do this as well for windows hosts in a domain... but on a host/desktop specific scenario it works and SPNEGO authentication from browsers work to cluster web UI's (as does ODBC and JDBC connections). Yep. MIT and Heimdal implement discovery through querying DNS TXT records automatically and allows you to do it per DNS zone or per host. Windows doesn't have that, so your only method is to do it by creating the registry configuration for Kerberos SSP, by forcing 'ksetup /addhosttorealmmap' on each Windows machine. I think you could use GPO to distribute the mappings since they are stored in the registry. What I'm not sure about is whether it is possible to apply the same on Windows DCs for requests that are coming from the Windows clients so that you can patch out subsets of AD domain and redirect requests for services on those machines to IPA KDCs. The ksetup trick is clearly client-side, only applies to Kerberos SSP on that machine. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ksetup-addkdc https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ksetup-addhosttorealmmap What your blog is covering is a good thing to be aware of, I'm going to share this with team mates and nominate referencing this into the "Kerberos and Hadoop:The Madness Beyond The Gate" gitdocs we use to convey the insanity of hadoop and kerberos integration for heterogeneous environments. Thanks for sharing this! You are welcome. I'll make sure to add the ksetup reference too. On Fri, Mar 20, 2020 at 1:23 PM Alexander Bokovoy wrote: On pe, 20 maalis 2020, Todd Grayson via FreeIPA-users wrote: >Understood, thanks. Effectively the DNS based lookup of KDC is problematic >with clusters (delays, etc) in sprawling environments... so static mappings >are used in our labs... I understand thats counter intuitive from a >management/user perspective and we are talking about a severe edge case >here. Thanks again for the ongoing feedback. It is a bit more complex than "disable any DNS resolution", unfortunately. You can get a glimpse of the current problem domain in my blog post from a year ago: https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/ > >On Fri, Mar 20, 2020 at 11:27 AM Charles Hedrick >wrote: > >> >> >> > On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> > >> > Thanks Rob, Thanks Angus, >> > >> > I am aware of how to point the client to the specific IPA server, what >> I'm struggling more with is freeIPA in an environment where its not using >> DNS for domain and realm resolution for kerberos, which does work today. >> > I should have limited my question to the following: >> > >> > Is it possible to use ipaClient but manage static mappings in the >> krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and >> dns_lookup_realm=false (including the krb5.conf on the ipa server itself so >> its aware of all). The question from Angus makes me believe that having >> the dns_lookup* = false is a unsupported context in an IPA environment. >> > >> I don’t see why not. We did that for a while. You need to configure >> servers in both krb5.conf and sssd.conf. But I’m not sure why you need >> this. The SRV records are for finding the server based on the Kerberos >> domain. As far as I know it has nothing to do with the hostname
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Oh, thank you this is our problem set exactly, we might have a dozen of lab.example.com hosts that are REALM1 another dozen lab hosts that are lab.example.com domain but in REALM2 and trying to get cross realm trust working between them. We are using host specific mappings in [domain_realm] to do it. There are even [CAPATH] scenarios that customers throw us where REALMA has trust for REALMB and REALMC has trust for REALMB, and users from REALMB must be trusted by REALMA cluster hosts. Imagine every insane heterogeneous configuration troubleshooting possible. We setup and simulate issues across all 3 using the same lab domains and explicit host mappings in [domain_realm] to keep the kerberos stack straight... But I have one observation, in your blog you state- *Since Microsoft Active Directory implementation does not support per-host Kerberos realm hint, unlike MIT Kerberos or Heimdal, such request from Windows client will always fail. It will be not possible to obtain a service ticket in such situation from Windows machines.However, when both realms trusting each other are MIT Kerberos, their KDCs and clients can be configured for a selective realm discovery.* On Windows desktops/hosts that we are doing integration labs over with mixed KDC implementations, the approach is to use the windows shell command lines of ksetup /addkdc and ksetup /addhosttorealmmap to smooth things with cross realm trust configurations ad-hoc between everything. I have not researched if global policies will do this as well for windows hosts in a domain... but on a host/desktop specific scenario it works and SPNEGO authentication from browsers work to cluster web UI's (as does ODBC and JDBC connections). https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ksetup-addkdc https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ksetup-addhosttorealmmap What your blog is covering is a good thing to be aware of, I'm going to share this with team mates and nominate referencing this into the "Kerberos and Hadoop:The Madness Beyond The Gate" gitdocs we use to convey the insanity of hadoop and kerberos integration for heterogeneous environments. Thanks for sharing this! On Fri, Mar 20, 2020 at 1:23 PM Alexander Bokovoy wrote: > On pe, 20 maalis 2020, Todd Grayson via FreeIPA-users wrote: > >Understood, thanks. Effectively the DNS based lookup of KDC is > problematic > >with clusters (delays, etc) in sprawling environments... so static > mappings > >are used in our labs... I understand thats counter intuitive from a > >management/user perspective and we are talking about a severe edge case > >here. Thanks again for the ongoing feedback. > > It is a bit more complex than "disable any DNS resolution", > unfortunately. You can get a glimpse of the current problem domain in my > blog post from a year ago: > https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/ > > > > >On Fri, Mar 20, 2020 at 11:27 AM Charles Hedrick > >wrote: > > > >> > >> > >> > On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users < > >> freeipa-users@lists.fedorahosted.org> wrote: > >> > > >> > Thanks Rob, Thanks Angus, > >> > > >> > I am aware of how to point the client to the specific IPA server, what > >> I'm struggling more with is freeIPA in an environment where its not > using > >> DNS for domain and realm resolution for kerberos, which does work today. > >> > I should have limited my question to the following: > >> > > >> > Is it possible to use ipaClient but manage static mappings in the > >> krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false > and > >> dns_lookup_realm=false (including the krb5.conf on the ipa server > itself so > >> its aware of all). The question from Angus makes me believe that having > >> the dns_lookup* = false is a unsupported context in an IPA environment. > >> > > >> I don’t see why not. We did that for a while. You need to configure > >> servers in both krb5.conf and sssd.conf. But I’m not sure why you need > >> this. The SRV records are for finding the server based on the Kerberos > >> domain. As far as I know it has nothing to do with the hostname of the > >> client. As long as krb5.conf and sssd.conf have the proper Kerberos > domain, > >> the client should be able to look up the servers in that domain. > >> > >> > >> > Thanks for your feedback. > >> > ___ > >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> > To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >> > Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> > List Archives: > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> > >> > > > >-- > >Todd Grayson > >Principal Customer Operations
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
On pe, 20 maalis 2020, Todd Grayson via FreeIPA-users wrote: Understood, thanks. Effectively the DNS based lookup of KDC is problematic with clusters (delays, etc) in sprawling environments... so static mappings are used in our labs... I understand thats counter intuitive from a management/user perspective and we are talking about a severe edge case here. Thanks again for the ongoing feedback. It is a bit more complex than "disable any DNS resolution", unfortunately. You can get a glimpse of the current problem domain in my blog post from a year ago: https://vda.li/en/posts/2019/03/24/Kerberos-host-to-realm-translation/ On Fri, Mar 20, 2020 at 11:27 AM Charles Hedrick wrote: > On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Thanks Rob, Thanks Angus, > > I am aware of how to point the client to the specific IPA server, what I'm struggling more with is freeIPA in an environment where its not using DNS for domain and realm resolution for kerberos, which does work today. > I should have limited my question to the following: > > Is it possible to use ipaClient but manage static mappings in the krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and dns_lookup_realm=false (including the krb5.conf on the ipa server itself so its aware of all). The question from Angus makes me believe that having the dns_lookup* = false is a unsupported context in an IPA environment. > I don’t see why not. We did that for a while. You need to configure servers in both krb5.conf and sssd.conf. But I’m not sure why you need this. The SRV records are for finding the server based on the Kerberos domain. As far as I know it has nothing to do with the hostname of the client. As long as krb5.conf and sssd.conf have the proper Kerberos domain, the client should be able to look up the servers in that domain. > Thanks for your feedback. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Todd Grayson Principal Customer Operations Engineer Security SME -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Understood, thanks. Effectively the DNS based lookup of KDC is problematic with clusters (delays, etc) in sprawling environments... so static mappings are used in our labs... I understand thats counter intuitive from a management/user perspective and we are talking about a severe edge case here. Thanks again for the ongoing feedback. On Fri, Mar 20, 2020 at 11:27 AM Charles Hedrick wrote: > > > > On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > Thanks Rob, Thanks Angus, > > > > I am aware of how to point the client to the specific IPA server, what > I'm struggling more with is freeIPA in an environment where its not using > DNS for domain and realm resolution for kerberos, which does work today. > > I should have limited my question to the following: > > > > Is it possible to use ipaClient but manage static mappings in the > krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and > dns_lookup_realm=false (including the krb5.conf on the ipa server itself so > its aware of all). The question from Angus makes me believe that having > the dns_lookup* = false is a unsupported context in an IPA environment. > > > I don’t see why not. We did that for a while. You need to configure > servers in both krb5.conf and sssd.conf. But I’m not sure why you need > this. The SRV records are for finding the server based on the Kerberos > domain. As far as I know it has nothing to do with the hostname of the > client. As long as krb5.conf and sssd.conf have the proper Kerberos domain, > the client should be able to look up the servers in that domain. > > > > Thanks for your feedback. > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- Todd Grayson Principal Customer Operations Engineer Security SME ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
> On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users > wrote: > > Thanks Rob, Thanks Angus, > > I am aware of how to point the client to the specific IPA server, what I'm > struggling more with is freeIPA in an environment where its not using DNS for > domain and realm resolution for kerberos, which does work today. > I should have limited my question to the following: > > Is it possible to use ipaClient but manage static mappings in the krb5.conf > [realm] and [domain realm] and run with dns_lookup_kdc=false and > dns_lookup_realm=false (including the krb5.conf on the ipa server itself so > its aware of all). The question from Angus makes me believe that having the > dns_lookup* = false is a unsupported context in an IPA environment. > I don’t see why not. We did that for a while. You need to configure servers in both krb5.conf and sssd.conf. But I’m not sure why you need this. The SRV records are for finding the server based on the Kerberos domain. As far as I know it has nothing to do with the hostname of the client. As long as krb5.conf and sssd.conf have the proper Kerberos domain, the client should be able to look up the servers in that domain. > Thanks for your feedback. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Todd Grayson via FreeIPA-users wrote: > Thanks Rob, Thanks Angus, > > I am aware of how to point the client to the specific IPA server, what I'm > struggling more with is freeIPA in an environment where its not using DNS for > domain and realm resolution for kerberos, which does work today. > I should have limited my question to the following: > > Is it possible to use ipaClient but manage static mappings in the krb5.conf > [realm] and [domain realm] and run with dns_lookup_kdc=false and > dns_lookup_realm=false (including the krb5.conf on the ipa server itself so > its aware of all). The question from Angus makes me believe that having the > dns_lookup* = false is a unsupported context in an IPA environment. Yes. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Todd Grayson via FreeIPA-users writes: > Thanks Rob, Thanks Angus, > > I am aware of how to point the client to the specific IPA server, what > I'm struggling more with is freeIPA in an environment where its not > using DNS for domain and realm resolution for kerberos, which does > work today. I should have limited my question to the following: > > Is it possible to use ipaClient but manage static mappings in the > krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false > and dns_lookup_realm=false (including the krb5.conf on the ipa server > itself so its aware of all). The question from Angus makes me believe > that having the dns_lookup* = false is a unsupported context in an IPA > environment. >From the Kerberos perspective, I'm not aware of a reason it wouldn't work. I believe some of my test machines are set up this way. Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Aaah, for me that is outside of my knowledge. Regards Angus From: Todd Grayson via FreeIPA-users Sent: Friday, March 6, 2020 11:31:36 PM To: freeipa-users@lists.fedorahosted.org Cc: Todd Grayson Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Thanks Rob, Thanks Angus, I am aware of how to point the client to the specific IPA server, what I'm struggling more with is freeIPA in an environment where its not using DNS for domain and realm resolution for kerberos, which does work today. I should have limited my question to the following: Is it possible to use ipaClient but manage static mappings in the krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and dns_lookup_realm=false (including the krb5.conf on the ipa server itself so its aware of all). The question from Angus makes me believe that having the dns_lookup* = false is a unsupported context in an IPA environment. Thanks for your feedback. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7C6d5c12bb19d7453808d7c21e319f%7C84df9e7fe9f640afb435%7C1%7C0%7C637191307245791585sdata=VApA4XyNHNHRrlkjbMXjyPD8C2wP2ISlrJZYGFBxIE0%3Dreserved=0 List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7C6d5c12bb19d7453808d7c21e319f%7C84df9e7fe9f640afb435%7C1%7C0%7C637191307245791585sdata=XWHZFHKCEGlkq0KNerNLtK0MbnHDlaAqxt%2FqKFYpc7Y%3Dreserved=0 List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=02%7C01%7C%7C6d5c12bb19d7453808d7c21e319f%7C84df9e7fe9f640afb435%7C1%7C0%7C637191307245791585sdata=hpVkU7jFfhRgCbNtXoiZUuXoOB6TsxsnMcyRgKnbLDI%3Dreserved=0 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Thanks Rob, Thanks Angus, I am aware of how to point the client to the specific IPA server, what I'm struggling more with is freeIPA in an environment where its not using DNS for domain and realm resolution for kerberos, which does work today. I should have limited my question to the following: Is it possible to use ipaClient but manage static mappings in the krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and dns_lookup_realm=false (including the krb5.conf on the ipa server itself so its aware of all). The question from Angus makes me believe that having the dns_lookup* = false is a unsupported context in an IPA environment. Thanks for your feedback. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Or indeed chose any of your existing DNS domains for the IPA servers, I suspect changing the domain at a later time might be troublesome, so maybe pick one that has some assured longevity to it! Regards Angus From: Angus Clarke via FreeIPA-users Sent: Friday, March 6, 2020 9:49:20 PM To: FreeIPA users list Cc: Todd Grayson ; Angus Clarke Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Hello As far as I'm aware, Kerberos requires DNS A records for clients and servers. Could you not just setup freeIPA using its internal DNS using a new domain just to add the ipa servers to, and then have forwarding between the different DNS systems? Clients can be under any DNS domain you like, as long as they resolve. Regards Angus From: Todd Grayson via FreeIPA-users Sent: Friday, March 6, 2020 4:50:25 PM To: freeipa-users@lists.fedorahosted.org Cc: Todd Grayson Subject: [Freeipa-users] freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Hello, Reading what I can find, it seems that its almost impossible to use freeIPA clients and expect to not have to configure DNS SRV or TEXT records to resolve the freeIPA for eveything, which is a shock... is appears to be no simple way to just have krb5.conf's that fall back on non DNS related resolution of KDC [realm] and [domain_realm] based resolution and mapping is that correct? Or am I missing some discussion on how to force a ipaclient setup to handle this kind of "krb5.conf" mapping instead of depending on DNS? I'm tasked with trying to bring IPA into what is a long standing lab environment that spans multiple cloud providers, multiple data centers, and collections of ad-hoc environments that we need to develop, train, and test within. Naturally this is spanning about 10 or so unique BIND dns domains. There are 6 separate active directory domains as well representing the range of domain functional levels from 2008 - 2016 that handle their own DNS. The environment historically includes a mix of MIT kerberos and Active directory domains,as well as ad-hoc MIT realms that are set up for exercising various cross realm trust scenarios from Java, Python and other application stacks. I'm hoping to end up with a few discreete freeIPA domains as a centralized static service that can be shared, rather than make everyone setup ad-hoc IPA instances, but its looking like my approach is NOT going to work and we are going to have to cookbook adhoc IPA setups that will be in conflict with each other within the subnets they pop up in. Am I mssing something as far as non DNS aware freeIPA integration? Or is the design really locked down as much as it seems to where everything must be coordinated at the network DNS level to get these lab systems (small clusters) scattered across these lab environments to be able to register as ipa clients? Any pointers to blogs, threads etc that speak to this would be greatly appreciated... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476823588sdata=ecrX%2F9y7ko0TtqLgfGWifqbWWHM%2BvQRMzehTB9SMc7E%3Dreserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F=02%7C01%7C%7C84615b0298de44d1eed108d7c20fef80%7C84df9e7fe9f640afb435%7C1%7C0%7C637191246004129170=y9euc2bDyQD5%2F1Jd4GnHIyN7HVyqiDy3UXjwOodg8n4%3D=0> List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476833599sdata=le2CP0oFUb8FlSRSG31wCycUxs6VV7Km0uyuS%2FNo3so%3Dreserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines=02%7C01%7C%7C84615b0298de44d1eed108d7c20fef80%7C84df9e7fe9f640afb435%7C1%7C0%7C637191246004139166=YghuQGke7NK0F7LdC7RaGtfFtm%2F3yi0jy%2Brt%2Bk4%2BPGQ%3D=0> List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476833599sdata=BblBt%2FrlfvhAdVt07V4EJPTSF84V%2FazZMS4XDjI4P6c%3Dreserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchiv
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Hello As far as I'm aware, Kerberos requires DNS A records for clients and servers. Could you not just setup freeIPA using its internal DNS using a new domain just to add the ipa servers to, and then have forwarding between the different DNS systems? Clients can be under any DNS domain you like, as long as they resolve. Regards Angus From: Todd Grayson via FreeIPA-users Sent: Friday, March 6, 2020 4:50:25 PM To: freeipa-users@lists.fedorahosted.org Cc: Todd Grayson Subject: [Freeipa-users] freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Hello, Reading what I can find, it seems that its almost impossible to use freeIPA clients and expect to not have to configure DNS SRV or TEXT records to resolve the freeIPA for eveything, which is a shock... is appears to be no simple way to just have krb5.conf's that fall back on non DNS related resolution of KDC [realm] and [domain_realm] based resolution and mapping is that correct? Or am I missing some discussion on how to force a ipaclient setup to handle this kind of "krb5.conf" mapping instead of depending on DNS? I'm tasked with trying to bring IPA into what is a long standing lab environment that spans multiple cloud providers, multiple data centers, and collections of ad-hoc environments that we need to develop, train, and test within. Naturally this is spanning about 10 or so unique BIND dns domains. There are 6 separate active directory domains as well representing the range of domain functional levels from 2008 - 2016 that handle their own DNS. The environment historically includes a mix of MIT kerberos and Active directory domains,as well as ad-hoc MIT realms that are set up for exercising various cross realm trust scenarios from Java, Python and other application stacks. I'm hoping to end up with a few discreete freeIPA domains as a centralized static service that can be shared, rather than make everyone setup ad-hoc IPA instances, but its looking like my approach is NOT going to work and we are going to have to cookbook adhoc IPA setups that will be in conflict with each other within the subnets they pop up in. Am I mssing something as far as non DNS aware freeIPA integration? Or is the design really locked down as much as it seems to where everything must be coordinated at the network DNS level to get these lab systems (small clusters) scattered across these lab environments to be able to register as ipa clients? Any pointers to blogs, threads etc that speak to this would be greatly appreciated... ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2Fdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476823588sdata=ecrX%2F9y7ko0TtqLgfGWifqbWWHM%2BvQRMzehTB9SMc7E%3Dreserved=0 List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelinesdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476833599sdata=le2CP0oFUb8FlSRSG31wCycUxs6VV7Km0uyuS%2FNo3so%3Dreserved=0 List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.orgdata=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435%7C1%7C0%7C637191066476833599sdata=BblBt%2FrlfvhAdVt07V4EJPTSF84V%2FazZMS4XDjI4P6c%3Dreserved=0 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
Todd Grayson via FreeIPA-users wrote: > Hello, > > Reading what I can find, it seems that its almost impossible to use freeIPA > clients and expect to not have to configure DNS SRV or TEXT records to > resolve the freeIPA for eveything, which is a shock... is appears to be no > simple way to just have krb5.conf's that fall back on non DNS related > resolution of KDC [realm] and [domain_realm] based resolution and mapping > is that correct? Or am I missing some discussion on how to force a ipaclient > setup to handle this kind of "krb5.conf" mapping instead of depending on DNS? > > I'm tasked with trying to bring IPA into what is a long standing lab > environment that spans multiple cloud providers, multiple data centers, and > collections of ad-hoc environments that we need to develop, train, and test > within. Naturally this is spanning about 10 or so unique BIND dns domains. > There are 6 separate active directory domains as well representing the range > of domain functional levels from 2008 - 2016 that handle their own DNS. > > The environment historically includes a mix of MIT kerberos and Active > directory domains,as well as ad-hoc MIT realms that are set up for exercising > various cross realm trust scenarios from Java, Python and other application > stacks. > > I'm hoping to end up with a few discreete freeIPA domains as a centralized > static service that can be shared, rather than make everyone setup ad-hoc IPA > instances, but its looking like my approach is NOT going to work and we are > going to have to cookbook adhoc IPA setups that will be in conflict with each > other within the subnets they pop up in. > > Am I mssing something as far as non DNS aware freeIPA integration? Or is the > design really locked down as much as it seems to where everything must be > coordinated at the network DNS level to get these lab systems (small > clusters) scattered across these lab environments to be able to register as > ipa clients? > > Any pointers to blogs, threads etc that speak to this would be greatly > appreciated... https://linux.die.net/man/1/ipa-client-install You can specify which server(s) to connect the client to. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
