[Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect

[Ondrej Valousek]

> The KDC is just trying to look up a service that was requested, it was the client that requested this host. Note that the host name used 
> is the detected IPA server. This can often be wrong if there is another server in your network with SRV records (such as AD).
Apparently not the KDC. I had to fix the resolv.conf on the *client* in order to resolve the problem. Problem was in reverse records - 
company DNS server returned /polaris.prague.s3group.com/ (this rendered the error on KDC) for the IP of the IPA server whereas the correct 
one should be /polaris.example.com /(as per the DNS server running on the IPA server). When the clients resolv.conf pointed to the company 
DNS, it did not work. I had to fix resolv.conf manually to make it working.
>
> The resolver is a bit of a chicken and egg problem. Hard to look anything up if you don't have one configured.
>
> The installer should prompt that the detected settings are ok. Were they ok and we still went to the wrong place?
>
Ok let me explain it more. The machine I was running the ipa-client-install was using company DNS server. On that DNS server I made a 
forward rule for 'example.com' domain. Therefore, once I ran

# ipa-client-install --domain=example.com

.. the tool was able to detect everything correctly, BUT the wrong DNS server (which was left behind in /etc/resolv.conf) returned wrong 
names from its reverse zone.

I believe it should be fairly easy for the installer to do few sanity checks to see whether the reverse DNS lookup works well...

Ondrej
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110630/a57be75f/attachment.htm>