[Freeipa-users] need info on AD / IPA coexistence
Sylvain Angers
sylvainangers at gmail.com
Wed Mar 7 18:38:34 UTC 2012
2012/2/23 Simo Sorce <simo at redhat.com>
> On Thu, 2012-02-23 at 21:12 -0500, Brian Cook wrote:
> > I would not expect that there would be any problem with AD and IPA
> > coexisting when the realm names are different, but I have heard
> > reports that there are problems, especially when Linux clients are
> > configured to use AD for DNS. Trying to figure out what the problem
> > is. I understand your delegated dns setup. What if the customer must
> > use AD for all DNS?
>
> The only "problem" you may have is that you have to manually set all the
> SRV and TXT records.
> It's tedious but nothing heart breaking.
>
> Clients will not be able to do DNS updates if the DNS is not managed by
> IPA.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Hello All,
We are facing the same difficulties here with coexistence with Microsoft AD
on the same network
Whenever I run ipa-client-install
# ipa-client-install --server=server.abcd.ca --domain=abcd.ca --realm=UNIX
DNS domain 'unix' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: client.abcd.ca
Realm: UNIX
DNS Domain: abcd.ca
IPA Server: server.abcd.ca
BaseDN: dc=unix
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin at UNIX:
Enrolled in IPA realm UNIX
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm UNIX
SSSD enabled
*Unable to find 'admin' user with 'getent passwd admin'!*
Recognized configuration: SSSD
NTP enabled
Client configuration complete.
and when I sniff via wireshark while doing getent passwd admin, I get
many time this snipet, with all the Microsoft AD server in the loop
165.115.52.21 = our windows dns server
165.115.40.149 = our ipa client
165.115.40.144
165.115.126.210 = windows AD domain controller
165.115.212.167 = windows AD domain controller
31.784008 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.52.21
31.784308 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217133 TSER=0 WS=7
31.784518 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
31.784538 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217133 TSER=0
31.784873 165.115.40.149 -> 165.115.52.21 LDAP searchRequest(1) "<ROOT>"
baseObject
31.785487 165.115.52.21 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
31.785505 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=1449 Win=17536 Len=0 TSV=5217134 TSER=13371643
31.785522 165.115.52.21 -> 165.115.40.149 LDAP searchResEntry(1) "<ROOT>"
31.785531 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=229
Ack=2314 Win=20480 Len=0 TSV=5217134 TSER=13371643
31.786016 165.115.40.149 -> 165.115.52.21 DNS Standard query A
jac-rg-i01.cn.ca
31.786301 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.126.210
31.790918 165.115.40.149 -> 165.115.126.210 KRB5 AS-REQ
31.826597 165.115.126.210 -> 165.115.40.149 KRB5 KRB Error:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
31.827485 165.115.40.149 -> 165.115.52.21 LDAP unbindRequest(2)
31.827518 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [FIN, ACK]
Seq=236 Ack=2314 Win=20480 Len=0 TSV=5217176 TSER=13371643
31.827763 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [ACK] Seq=2314
Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
31.827786 165.115.52.21 -> 165.115.40.149 TCP ldap > 37236 [FIN, ACK]
Seq=2314 Ack=237 Win=65300 Len=0 TSV=13371643 TSER=5217176
31.827795 165.115.40.149 -> 165.115.52.21 TCP 37236 > ldap [ACK] Seq=237
Ack=2315 Win=20480 Len=0 TSV=5217177 TSER=13371643
31.827856 165.115.40.149 -> 165.115.52.21 DNS Standard query A
gnp-yd-i01.cn.ca
31.828112 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.207.219
31.828393 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [SYN] Seq=0
Win=14600 Len=0 MSS=1460 TSV=5217177 TSER=0 WS=7
31.860256 165.115.207.219 -> 165.115.40.149 TCP ldap > 56123 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1360 WS=0 TSV=0 TSER=0
31.860313 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=1
Ack=1 Win=14720 Len=0 TSV=5217209 TSER=0
31.860488 165.115.40.149 -> 165.115.207.219 LDAP searchRequest(1) "<ROOT>"
baseObject
31.901748 165.115.207.219 -> 165.115.40.149 TCP [TCP segment of a
reassembled PDU]
31.901767 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=1349 Win=17536 Len=0 TSV=5217251 TSER=15563619
31.907040 165.115.207.219 -> 165.115.40.149 LDAP searchResEntry(1) "<ROOT>"
31.907054 165.115.40.149 -> 165.115.207.219 TCP 56123 > ldap [ACK] Seq=229
Ack=2314 Win=20224 Len=0 TSV=5217256 TSER=15563619
31.907540 165.115.40.149 -> 165.115.52.21 DNS Standard query A
prg-yd-i02.cn.ca
31.907883 165.115.52.21 -> 165.115.40.149 DNS Standard query response A
165.115.212.167
31.911870 165.115.40.149 -> 165.115.212.167 KRB5 AS-REQ
31.995533 165.115.212.167 -> 165.115.40.149 KRB5 KRB Error:
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
31.996253 165.115.40.149 -> 165.115.207.219 LDAP unbindRequest(2)
it does this snippet on every AD server before geting back empty
We wonder if we need to create a subdomain with FREEIP master of that
subdomain...
Any help would be appreciate
Regards
--
Sylvain Angers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120307/b50e07c9/attachment.htm>
More information about the Freeipa-users
mailing list