Ok, friends, you helped me to understand one thing. My test scenario with 2 VMs and no DNS server introduces problems with DNS resolution, which seems to be almost necessary. So now I have 2 tasks: 1) properly configure IPA server to work with DNS; 2) make a FreeBSD host (which is a "non-native" client for FreeIPA) join an IPA domain. As problems of the first task can be errantly considered to be problems of the second task, I'll change my approach. First I'll try to set up a Fedora FreeIPA server with DNS and add a "native" Fedora FreeIPA client to it. (I guess a Fedora client: 1) should be easier to set up; 2) is guaranteed to work if configured properly.) Then I'll try to add a FreeBSD client to my working setup and see if the post at FreeBSD forums leads to a working solution. I'll share the results with you, however it may take some time before I set up a working Fedora IPA server - Fedora IPA client setup. If you have any links to proved-to-work tutorials (either in text or video format), please share. Отправлено от <a href="http://r.bluemailapp.com">Blue Mail</a> <head><head><style type="text/css"> pre.blue {white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif; margin-top: 0px} div, p { -ms-word-break: break-all; word-break: break-all; word-break: break-word; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto;hyphens: auto;} a {color: #226EF9 ;}</style></head><body style="zoom: 100%; "><div class="gmail_quote" >На 14.10.2014, в 23:47, Petr Spacek <<a href="mailto:pspacek@redhat.com" target="_blank">pspacek@redhat.com</a>> написал:п<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre class="blue">On 14.10.2014 15:06, Alexander Bokovoy wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> On Tue, 14 Oct 2014, Orkhan Gasimov wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> So which way do I go? 1) Change the server VM`s hostname from "<a href="http://ipa1.eurosel.az">ipa1.eurosel.az</a>" to "<a href="http://ipa1.ipa.eurosel.az">ipa1.ipa.eurosel.az</a>" prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. </blockquote> Allocate <a href="http://ipa.eurosel.az">ipa.eurosel.az</a> domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), wi! th domain=<a href="http://ipa.eurosel.az">ipa.eurosel.az</a>, realm <a class="linkifyplus" href="http://IPA.EUROSEL.AZ" title="Linkified from plain text using Linkify Plus (0): IPA.EUROSEL.AZ">IPA.EUROSEL.AZ</a>. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use <a href="http://ipa1.ipa.eurosel.az">ipa1.ipa.eurosel.az</a> as a resolver. </blockquote> Again - in production it is unnecessary to change resolv.conf if you have proper NS records in place. Petr^2 Spacek <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> 14-Oct-14 17:43, Petr Spacek пишет: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;">! On 14.10.2014 13:48, Orkhan Gasimov wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #fcaf3e; padding-left: 1ex;"> I need further assistance with this moment: "specify IPA domain name which is sub-domain of you existing domain (e.g. <a href="http://ipa.eurosel.az">ipa.eurosel.az</a>) ". Currently my FreeIPA server's hostname is <a href="http://ipa1.eurosel.az">ipa1.eurosel.az</a>, and client's hostname is <a href="http://bsd1.eurosel.az">bsd1.eurosel.az</a>. So when running this command: "ipa-server-install --setup-dns --forwarder <ip address="" of="" your="" *existing*<br=""> DNS server>", the installation program detects the hostname of the VM (<a href="http://ipa1.eurosel.az">ipa1.eurosel.az</a>) and offers it as IPA server FQDN; then it offers "<a href="http://eurosel.az">eurosel.az</a>" as the domain name. I can make changes right during the installation process (FQ! DN = <a href="http://ipa1.ipa.eurosel.az">ipa1.ipa.eurosel.az</a> & domain = <a href="http://ipa.eurosel.az">ipa.eurosel.az</a>), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to "<a href="http://ipa1.ipa.eurosel.az">ipa1.ipa.eurosel.az</a>" prior to running the IPA installation program, then the installation program will offer my server an FQDN of "<a href="http://ipa1.ipa.eurosel.az">ipa1.ipa.eurosel.az</a>" and a domain name of "<a href="http://ipa.eurosel.az">ipa.eurosel.az</a>". But doesn`t it mean that my client`s hostname should also be changed to <a href="http://bsd1.ipa.eurosel.az">bsd1.ipa.eurosel.az</a>? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. </ip></blockquote> Clients don't need to be in the same domain as IPA. The IPA domain in D! NS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #fcaf3e; padding-left: 1ex;"> 14-Oct-14 16:29, Petr Spacek пишет: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;"> On 14.10.2014 11:49, Orkhan Gasimov wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;"> I suspected that problems could arise with DNS, and here they are... In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has DNS SRV ent! ries" was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data with"getent passwd" or "getent group" commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: "...add IP address or hostname to the option ipa_server", but you use an arbitrary name like "<a href="http://vm-120.eurosel.az">vm-120.eurosel.az</a>". Could you please explain which host`s FQDN I should put there? If I use "<a href="http://ipa1.eurosel.az">ipa1.eurosel.az</a>", then sssd won`t start (complains about "...Looping detected inside krb5_get_in_tkt..."). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction u! sing only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? </blockquote> IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick & dirty test, do this: $ ipa-server-install --setup-dns --forwarder <ip address="" of="" your="" *existing*<br=""> DNS server> + specify IPA domain name which is sub-domain of you existing domain (e.g. <a href="http://ipa.eurosel.az">ipa.eurosel.az</a>) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for <a href="http://ipa.eurosel.az">ipa.eurosel.az</a> domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;"> 14-Oct-14 12:58, Lukas Slebodnik пишет: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;"> On (14/10/14 10:23), Orkhan Gasimov wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;"> Thanks to both of you for the interest. Here`s the info you asked: 1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log i! s only populated with data when I make some errors in sssd.conf & sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): <hr> [domain/<a href="http://mydomain.com">mydomain.com</a>] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <a href="http://mydomain.com">mydomain.com</a> id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = <a href="http://ipa1.mydomain.com">ipa1.mydomain.com</a> chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries </blockquote> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._<a href="http://tcp.eurosel.az">tcp.eurosel.az</a>' ... [resolve_srv_done] (! 0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, <a href="http://vm-120.eurosel.az">vm-120.eurosel.az</a> BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) </blockquote></blockquote></ip></blockquote></blockquote></blockquote></blockquote></blockquote></pre></blockquote></div></body></head>