[Freeipa-users] ipa-client-install failed to join the IPA realm if DNS setting is incorrect
Simo Sorce
simo at redhat.com
Thu Jun 30 14:22:52 UTC 2011
On Thu, 2011-06-30 at 15:52 +0200, Ondrej Valousek wrote:
>
> > The KDC is just trying to look up a service that was requested, it
> > was the client that requested this host. Note that the host name
> > used is the detected IPA server. This can often be wrong if there is
> > another server in your network with SRV records (such as AD).
> Apparently not the KDC. I had to fix the resolv.conf on the client in
> order to resolve the problem. Problem was in reverse records - company
> DNS server returned polaris.prague.s3group.com (this rendered the
> error on KDC) for the IP of the IPA server whereas the correct one
> should be polaris.example.com (as per the DNS server running on the
> IPA server). When the clients resolv.conf pointed to the company DNS,
> it did not work. I had to fix resolv.conf manually to make it working.
> >
> > The resolver is a bit of a chicken and egg problem. Hard to look
> > anything up if you don't have one configured.
> >
> > The installer should prompt that the detected settings are ok. Were
> > they ok and we still went to the wrong place?
> >
> Ok let me explain it more. The machine I was running the
> ipa-client-install was using company DNS server. On that DNS server I
> made a forward rule for 'example.com' domain. Therefore, once I ran
>
> # ipa-client-install --domain=example.com
>
> .. the tool was able to detect everything correctly, BUT the wrong DNS
> server (which was left behind in /etc/resolv.conf) returned wrong
> names from its reverse zone.
>
> I believe it should be fairly easy for the installer to do few sanity
> checks to see whether the reverse DNS lookup works well...
We are actively working on trying to never depend on reverse lookups.
Unfortunately there are still some bugs and limitations in various
libraries but we are working on fixing them.
That said if you want to use your main DNS for client, you can simply
fix issues by adding reverse records into it at least for IPA servers.
Or give the IPA machine a subnet and forward requests for that subnet
too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list