<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Adding freeipa-users back to loop<br>
</p>
<br>
<div class="moz-cite-prefix">On 24.02.2017 12:02, Iulian Roman
wrote:<br>
</div>
<blockquote
cite="mid:CALjJZGm3QsZe2DcHbdwOsSpPT-eq8+cL8DB=5hHqkStPKwxCgQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">On Thu, Feb 23, 2017 at 4:21 PM, Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello,</p>
<p>comments inline <br>
</p>
</div>
</blockquote>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p> </p>
<span class=""> <br>
<div class="m_-2248727080328273042moz-cite-prefix">On
23.02.2017 15:07, Iulian Roman wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Despite reading the freeipa and Redhat
IdM documentation regarding the DNS , it is
still unclear to me if and when is
integrated DNS mandatory . We do have an
environment with a pretty complex DNS setup
, which is in place for years and there are
no plans to change it.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</span> Integrated DNS is not mandatory at all. Without
IPA DNS you have to manage all IPA system records
manually on external DNS<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
if i understood correctly from the
documentation , integrated DNS is mandatory
for configuring AD trust. is that correct ? <br>
</div>
</div>
</div>
</blockquote>
</span> No, it is not needed for AD trust, you need to
add additional DNS records<span class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
Can the integrated DNS be configured as
forward only ? Do the clients need to have IPA
DNS as a resolver or they can just use
existing DNS server ? <br>
</div>
</div>
</div>
</blockquote>
</span> You don't need to install IPA DNS.<br>
<br>
All records the IPA needs can be received from command
`ipa dns-update-system-records --dry-run` (IPA4.4+)<br>
</div>
</blockquote>
<div><br>
</div>
<div>there are some SRV records (_kerberos, _kpasswd, _ldap,
_ntp) reported by the above command which would not be
easy to add them to existing DNS (DNS updates are form
based and they allow only A and CNAME records). When and
by whom are those records used and what is the consequence
of not adding them into existing DNS ?<br>
<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
These are mainly used by ipa-clients (SSSD) with dynamic
configuration. However you may configure client to use static
configuration (without auto detection of working IPA servers) and it
should work. However I'm not sure about DNS records required for AD
Trust, who is the consumer, if only SSSD or not.<br>
<br>
<br>
<blockquote
cite="mid:CALjJZGm3QsZe2DcHbdwOsSpPT-eq8+cL8DB=5hHqkStPKwxCgQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<br>
</div>
<br>
<fieldset
class="m_-2248727080328273042mimeAttachmentHeader"></fieldset>
<br>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
Martin<br>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>