Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 23/12/2016 10:31, Alexander Bokovoy wrote: ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts. However, multiple replicas cannot me specified via CNAME, so we had to fix https://fedorahosted.org/freeipa/ticket/3547. Absolutely - I have no problem with ipa-ca being real A

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Alexander Bokovoy
On pe, 23 joulu 2016, Brian Candler wrote: On 23/12/2016 09:47, Brian Candler wrote: /etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp However the installation process didn't actually create this DNS entry, so the ipa-ca hostname is not resolvable.

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 23/12/2016 09:47, Brian Candler wrote: /etc/pki/pki-tomcat/ca/CS.cfg:ca.defaultOcspUri=http://ipa-ca.bar.example.com/ca/ocsp However the installation process didn't actually create this DNS entry, so the ipa-ca hostname is not resolvable. Aside: I think this was because

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-23 Thread Brian Candler
On 22/12/2016 20:53, Martin Basti wrote: (1) This introduces a concept of an "IPA Primary Domain". Is that just the DNS domain which holds the SRV records which point to the realm's kerberos/ldap servers, or does it have any other function? In other words, what other effects would there be

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-22 Thread Martin Basti
On 22.12.2016 17:53, Brian Candler wrote: On 20/12/2016 08:07, Petr Spacek wrote: I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way The modified deployment

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-22 Thread Brian Candler
On 20/12/2016 08:07, Petr Spacek wrote: I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way The modified deployment page is here:

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-20 Thread Petr Spacek
On 8.12.2016 10:12, Pieter Nagel wrote: > On Thu, Dec 8, 2016 at 10:59 AM, Alexander Bokovoy > wrote: > >> It is really simply: your DNS domain named as your Kerberos realm must >> be under your control, one way or another, to allow automatic discovery >> of resources to

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-09 Thread Alexander Bokovoy
On pe, 09 joulu 2016, Brian Candler wrote: On 08/12/2016 08:50, Pieter Nagel wrote: Concrete scenario, I wonder if this will work: A greenfields deployment, no other kerberos, no Active Directory. Internal DNS to be int.lautus.net and FreeIPA manages that DNS domain

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-09 Thread Brian Candler
On 08/12/2016 08:50, Pieter Nagel wrote: Concrete scenario, I wonder if this will work: A greenfields deployment, no other kerberos, no Active Directory. Internal DNS to be int.lautus.net and FreeIPA manages that DNS domain and adds internal hosts to it as they

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-08 Thread Jacob Evans
day, December 7, 2016 8:33:41 AM Subject: Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain. Thanks, that helps a lot. Yes and no. What you see with "@ NS ..." is a glue record -- you are supposed to have a glue record for IPA domain i

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-08 Thread Pieter Nagel
On Thu, Dec 8, 2016 at 10:59 AM, Alexander Bokovoy wrote: > It is really simply: your DNS domain named as your Kerberos realm must > be under your control, one way or another, to allow automatic discovery > of resources to work. > Thanks, this explanation makes it crystal

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-08 Thread Alexander Bokovoy
On to, 08 joulu 2016, Pieter Nagel wrote: On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler wrote: The Kerberos realm always has a corresponding DNS domain, so realm IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net". This is the crux of what I find unclear.

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-08 Thread Pieter Nagel
On Wed, Dec 7, 2016 at 3:57 PM, Brian Candler wrote: > The Kerberos realm always has a corresponding DNS domain, so realm > IPA.LAUTUS.NET has a corresponding DNS domain "ipa.lautus.net". > This is the crux of what I find unclear. The docs make it sound as if the DNS domain

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-07 Thread Petr Spacek
On 7.12.2016 14:57, Brian Candler wrote: > On 07/12/2016 08:58, freeIPA users list wrote: >> On ke, 07 joulu 2016, List dedicated to discussions about use, configuration >> and deployment of the IPA server. wrote: >>> I know the Quick Start Guide and Deployment Recommendations cover this in >>>

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-07 Thread Brian Candler
On 07/12/2016 08:58, freeIPA users list wrote: On ke, 07 joulu 2016, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-07 Thread Pieter Nagel
Thanks, that helps a lot. Yes and no. What you see with "@ NS ..." is a glue record -- you are > supposed to have a glue record for IPA domain in the upstream domain, > this is how domain delegation works in DNS world. Except what i saw was the other way around. The FreeIPA server has an

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

2016-12-07 Thread freeIPA users list
On ke, 07 joulu 2016, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: I know the Quick Start Guide and Deployment Recommendations cover this in depth, but there are still some ambiguities. I'm trying to figure out if a company like us, lautus.net