[Freeipa-devel] ipa-client-install domain autodiscovery - try _kerberos first?
Alexander Bokovoy
abokovoy at redhat.com
Thu Aug 27 11:31:05 UTC 2015
On Thu, 27 Aug 2015, Petr Spacek wrote:
>Hello,
>
>while investigating a problem reported on ipa-users, I found out that
>check_domain() method in ipaclient/ipadiscovery.py checks _ldap._tcp SRV
>record first.
>
>This seems to be based on assumption that IPA client is in the same DNS
>sub-tree as the main IPA domain.
>
>IMHO it would be better to find _kerberos TXT record in client's domain (or
>its parent domains) and then check _ldap._tcp SRV records in domain pointed to
>by _kerberos record.
>
>Do you agree? Am I missing something?
Yes, you should be using _kerberos TXT record first and then follow
domain derived from the realm. However, this would not work for non-FQDN
REALMs (for example, Kerberos realm IPA). In that case you would have
KDC explicitly defined in the krb5.conf, though.
>Side note:
>ipadiscovery.py could be re-used in ipa-server-install as mechanism to detect
>attempts to install IPA into a DNS domain which is already occupied by another
>IPA, or AD, or something else.
Correct and makes sense.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list