Re: [Freeipa-users] External DNS and replication
On 09.03.2017 09:04, Wimmer Ronald (BCC.B.SO) wrote: > > *From:*Martin Basti [mailto:mba...@redhat.com] > *Sent:* Mittwoch, 08. März 2017 14:54 > *To:* Wimmer Ronald (BCC.B.SO) <ronald.wim...@oebb.at>; > freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] External DNS and replication > > > > > > > > On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote: > > Hi, > > > > I am using FreeIPA with external DNS. Is it ok to balance the > requests between master and replica with DNS SRV records like this: > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 > ipa1.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 > ipa1.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net. > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 > ipa2.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 > ipa2.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net. > > > > _kerberos.example.net. 86400 IN TXT "example.net" > > Looks good to me > > > ipa-ca.example.net. 86400 IN A 10.66.39.130 > > > > What about the “ipa-ca” entry? > > > ipa-ca should contain all A/ records of CA replicas > > IPA4.4+ support command `ipa dns-update-system-records --dry-run` to > get all required records > > > > Regards, > > Ronald > > > > > Martin > > > > Thank’s a lot. In https://access.redhat.com/solutions/98043 RedHat > suggest to use same weight and same priority for the SRV records. Does > that make sense? > Priority should be same, otherwise servers with higher priority will work only as backups (preferably you should have priority 0). You can edit weight to distribute more load to beefy servers. Please note that priority and weight is handled on client side, so it will work only on clients that are processing SRV with priority and weight. Some clients may ignore it. > > > I also noticed that I have no ndp record. Are IPA clients relying on > that entry? Do I have to create these manually? > > > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 > ipaserver1.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 > ipaserver2.example.net. > It depends on your system configuration on clients. This is basically used only by ipa-client-install because AFAIK ntp client doesn't support SRV lookup. Usually clients have default NTP client configured so it should work. > > > Ronald > > > signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS and replication
From: Martin Basti [mailto:mba...@redhat.com] Sent: Mittwoch, 08. März 2017 14:54 To: Wimmer Ronald (BCC.B.SO) <ronald.wim...@oebb.at>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] External DNS and replication On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote: Hi, I am using FreeIPA with external DNS. Is it ok to balance the requests between master and replica with DNS SRV records like this: _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net. _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net. _kerberos.example.net. 86400 IN TXT "example.net" Looks good to me ipa-ca.example.net. 86400 IN A 10.66.39.130 What about the "ipa-ca" entry? ipa-ca should contain all A/ records of CA replicas IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all required records Regards, Ronald Martin Thank's a lot. In https://access.redhat.com/solutions/98043 RedHat suggest to use same weight and same priority for the SRV records. Does that make sense? I also noticed that I have no ndp record. Are IPA clients relying on that entry? Do I have to create these manually? _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipaserver1.example.net. _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipaserver2.example.net. Ronald -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS and replication
On 08.03.2017 14:05, Wimmer Ronald (BCC.B.SO) wrote: > > Hi, > > > > I am using FreeIPA with external DNS. Is it ok to balance the requests > between master and replica with DNS SRV records like this: > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa1.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa1.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa1.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa1.example.net. > > > > _kerberos-master._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kerberos-master._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kerberos._tcp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kerberos._udp.example.net. 86400 IN SRV 10 50 88 ipa2.example.net. > > _kpasswd._tcp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _kpasswd._udp.example.net. 86400 IN SRV 10 50 464 ipa2.example.net. > > _ldap._tcp.example.net. 86400 IN SRV 10 50 389 ipa2.example.net. > > _ntp._udp.example.net. 86400 IN SRV 10 50 123 ipa2.example.net. > > > > _kerberos.example.net. 86400 IN TXT "example.net" > Looks good to me > ipa-ca.example.net. 86400 IN A 10.66.39.130 > > > > What about the “ipa-ca” entry? > ipa-ca should contain all A/ records of CA replicas IPA4.4+ support command `ipa dns-update-system-records --dry-run` to get all required records > > > > Regards, > > Ronald > > > Martin signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On Thu, May 07, 2015 at 01:07:58PM -0400, Dmitri Pal wrote: On 05/07/2015 04:37 AM, Petr Spacek wrote: On 7.5.2015 09:31, Winfried de Heiden wrote: Hi all, One of the nice FreeIPA features is a host will be added to DNS automatically when the client is installed. However, in some situations using an other, external, DNS server is prefered. Now, this is possible but hosts have to added manually to this other DNS-server. Is it possible to handle DNS records by IPA on an external DNS server? Any future plans for this? This automatic update is handled by SSSD and uses standard DNS update protocol. I.e. it should work as long as your 'external' DNS server is configured to accept updates from clients. This is the update not the creation. Will the update create both A/ and PTR record? It should also create the record (although I haven't tested right now). SSSD would so far only create the address family that is used to connect to the server. We have an RFE open to update both: https://fedorahosted.org/sssd/ticket/2120 and also update the address on startup, not on going offline, which might be too late in some cases: https://fedorahosted.org/sssd/ticket/1926 But what I see as a potentially more important blocker is that SSSD always use the GSSAPI credentials of the joined realm. If the external DNS server requires different authentication, the update wouldn't succeed. I thought that it will just update IP but not create these records. If I am correct then the question is valid and we need to have a way to create entries in an external data store. Sounds like another use case for the notification system. And for that we do not have firm plans yet but we are collecting the use cases to justify the effort. Martin do you think it is worth opening a ticket? Please refer to documentation to your DNS server for further information and let us know if you encounter some problem. Have a nice day! -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On Sun, May 10, 2015 at 06:53:47PM +0200, Jakub Hrozek wrote: SSSD would so far only create the address family that is used to connect to the server. We have an RFE open to update both: https://fedorahosted.org/sssd/ticket/2120 and also update the address on startup, not on going offline, which ~ Shoud be going online of course.. might be too late in some cases: https://fedorahosted.org/sssd/ticket/1926 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On 7.5.2015 09:31, Winfried de Heiden wrote: Hi all, One of the nice FreeIPA features is a host will be added to DNS automatically when the client is installed. However, in some situations using an other, external, DNS server is prefered. Now, this is possible but hosts have to added manually to this other DNS-server. Is it possible to handle DNS records by IPA on an external DNS server? Any future plans for this? This automatic update is handled by SSSD and uses standard DNS update protocol. I.e. it should work as long as your 'external' DNS server is configured to accept updates from clients. Please refer to documentation to your DNS server for further information and let us know if you encounter some problem. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External DNS
On 05/07/2015 04:37 AM, Petr Spacek wrote: On 7.5.2015 09:31, Winfried de Heiden wrote: Hi all, One of the nice FreeIPA features is a host will be added to DNS automatically when the client is installed. However, in some situations using an other, external, DNS server is prefered. Now, this is possible but hosts have to added manually to this other DNS-server. Is it possible to handle DNS records by IPA on an external DNS server? Any future plans for this? This automatic update is handled by SSSD and uses standard DNS update protocol. I.e. it should work as long as your 'external' DNS server is configured to accept updates from clients. This is the update not the creation. Will the update create both A/ and PTR record? I thought that it will just update IP but not create these records. If I am correct then the question is valid and we need to have a way to create entries in an external data store. Sounds like another use case for the notification system. And for that we do not have firm plans yet but we are collecting the use cases to justify the effort. Martin do you think it is worth opening a ticket? Please refer to documentation to your DNS server for further information and let us know if you encounter some problem. Have a nice day! -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project