[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Tue Oct 14 11:48:28 UTC 2014

I need further assistance with this moment:
"specify IPA domain name which is sub-domain of you existing domain 
(e.g. ipa.eurosel.az) ".

Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's 
hostname is bsd1.eurosel.az.
So when running this command:

"ipa-server-install --setup-dns --forwarder <ip address of your 
*existing* DNS server>",

the installation program detects the hostname of the VM 
(ipa1.eurosel.az) and offers it as IPA server FQDN;
then it offers "eurosel.az" as the domain name. I can make changes right 
during the installation process (FQDN = ipa1.ipa.eurosel.az & domain = 
ipa.eurosel.az), but then there will be a conflict with the real 
hostname and records in the /etc/hosts file.

On the other hand, if I change the hostname of the server VM to 
"ipa1.ipa.eurosel.az" prior to running the IPA installation program, 
then the installation program will offer my server an FQDN of 
"ipa1.ipa.eurosel.az" and a domain name of "ipa.eurosel.az". But doesn`t 
it mean that my client`s hostname should also be changed to 
bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I 
won`t be able to change the domain part of FQDN for hundreds of clients.

Please don`t hesitate to explain a little clearer.

14-Oct-14 16:29, Petr Spacek пишет:
> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>> I suspected that problems could arise with DNS, and here they are...
>>
>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server 
>> has DNS
>> SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
>> commented it out, because was unsure sure if it was appropriate for 
>> my simple
>> setup with just 2 VMs and and a bunch of records in /etc/hosts file. 
>> After
>> starting sssd, I could get no IPA data with"getent passwd" or "getent 
>> group"
>> commands. They I uncommented it and restarted sssd, but things 
>> remained the same.
>>
>> Now your advice is:  "...add IP address or hostname to the option 
>> ipa_server",
>> but you use an arbitrary name like "vm-120.eurosel.az". Could you please
>> explain which host`s FQDN I should put there? If I use 
>> "ipa1.eurosel.az", then
>> sssd won`t start (complains about "...Looping detected inside
>> krb5_get_in_tkt...").
>>
>> If it MUST be a DNS server, then everything changes. And the question 
>> then
>> becomes: is it possible to set up a test FreeIPA client-server 
>> interaction
>> using only 2 VMs and proper records in /etc/hosts instead of a DNS 
>> server? Or
>> one MUST add a third VM and make it a DNS server to facilitate 
>> client-server
>> interaction?
>
> IPA theoretically can work without DNS records but it requires very 
> careful configuration on clients and is strongly discouraged.
>
> If you want to do quick & dirty test, do this:
> $ ipa-server-install --setup-dns --forwarder <ip address of your 
> *existing* DNS server>
> + specify IPA domain name which is sub-domain of you existing domain 
> (e.g. ipa.eurosel.az)
> + change /etc/resolv.conf on *all* clients to point to IPA server
>
> *This is a dirty trick* and it will not work unless all your clients 
> has the IPA server in resolv.conf. It will most likely break when you 
> try to use AD trust with AD clients etc.
>
>
> *In production environment* you should add NS records for 
> ipa.eurosel.az domain to the parent DNS zone to create proper 
> delegation. In that case you don't need to fiddle with resolv.conf on 
> all clients.
>
> Let me know if you need further assistance.
>
> Petr^2 Spacek
>
>
>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>> Thanks to both of you for the interest.
>>>> Here`s the info you asked:
>>>>
>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss] 
>>>> section of the
>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The 
>>>> log file
>>>> located at /var/log/sssd/sssd.log is only populated with data when 
>>>> I make
>>>> some errors in sssd.conf & sssd process fails to start. But that`s 
>>>> the case
>>>> only if I deliberately introduce some errors; with current 
>>>> configuration sssd
>>>> starts successfully.
>>>>
>>>> 2. My original sssd.conf (without debugs) is as follows (exact copy 
>>>> of what
>>>> was shown in the post at FreeBSD forums):
>>>>
>>>> -----------------------------------------
>>>> [domain/mydomain.com]
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = mydomain.com
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = ipa1.mydomain.com
>>>> chpass_provider = ipa
>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>
>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>> '_ldap._tcp.eurosel.az'
>>> ...
>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' 
>>> as 'not
>>> resolved'
>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV 
>>> lookup
>>> meta-server), resolver returned (5)
>>>
>>> DNS discovery of IPA server failed, becuase you just configured few 
>>> hostnames
>>> in /etc/hosts
>>>
>>> You can add IP address or hostname to the option ipa_server
>>> e.g.
>>>      ipa_server = _srv_, vm-120.eurosel.az
>>>
>>> BTW In my opinion, it is better to have comment before the optiona 
>>> and not on
>>> the same line :-)
>