I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution.
- I run a private DNS zone on AWS, called "int.example.com" (with ptr and srv, etc) - I have 3 master-master-master IPAs called ipa1, ipa2, and ip3 xxx.int.example.com - Realm is EXAMPLE.COM - Domain is example.com - example.com records are hosted in a different service (i.e. hover or godaddy) When I try to install a client I get: Discovery was successful! Client hostname: ipaclient.int.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa2.int.example.com BaseDN: dc=example,dc=com … Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf ... Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipa2.int.example.com/ipa/json Traceback (most recent call last): File "/sbin/ipa-client-install", line 3128, in <module> sys.exit(main()) ... File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection raise errors.KerberosError(message=unicode(krberr)) ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm “EXAMPLE.COM" Any idea how I can overcome this issue? I would like my LDAP basedn to be dc=example,dc=com. I don't want it to take the value of dc=int,dc=example,dc=com if I used private domain int.example.com instead of example.com I was thinking of using a private zone just example.com instead of int.example.com but I will have issues since my TLD is on an external service (i.e. hover.com). In this case, I wouldn't be able to resolve test.example.com within the private zone since AWS Route53 wouldn't resolve outside the zone. I would need to install a DNS forwarder somewhere else and I don't want to manage it. I can manually install the client and specify the domain and realm fine but I am unable to use DNS _srv_ for failover if ipa1 goes down, for example. Clients are unable to login with a similar KDC error. And even installing is causing issues as the output show "Cannot find KDC for realm..." Any recommendation or help would be appreciated. I am not sure what is the best solution.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
