[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Petr Spacek pspacek at redhat.com
Tue Oct 14 12:43:45 UTC 2014 

On 14.10.2014 13:48, Orkhan Gasimov wrote:
> I need further assistance with this moment:
> "specify IPA domain name which is sub-domain of you existing domain (e.g.
> ipa.eurosel.az) ".
>
> Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
> hostname is bsd1.eurosel.az.
> So when running this command:
>
> "ipa-server-install --setup-dns --forwarder <ip address of your *existing* DNS
> server>",
>
> the installation program detects the hostname of the VM (ipa1.eurosel.az) and
> offers it as IPA server FQDN;
> then it offers "eurosel.az" as the domain name. I can make changes right
> during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
> ipa.eurosel.az), but then there will be a conflict with the real hostname and
> records in the /etc/hosts file.
>
> On the other hand, if I change the hostname of the server VM to
> "ipa1.ipa.eurosel.az" prior to running the IPA installation program, then the
> installation program will offer my server an FQDN of "ipa1.ipa.eurosel.az" and
> a domain name of "ipa.eurosel.az". But doesn`t it mean that my client`s
> hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid
> this, because in production I won`t be able to change the domain part of FQDN
> for hundreds of clients.

Clients don't need to be in the same domain as IPA. The IPA domain in DNS is 
necessary to store 'metadata' like SRV and TXT records etc.

You can even experiment with IPA servers which are not in the IPA domain but 
I'm not sure how much it was tested.

Alexander can add more details about records required for AD integration and 
how it should work with clients which are not in the IPA domain.

Petr^2 Spacek

>
> 14-Oct-14 16:29, Petr Spacek пишет:
>> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>>> I suspected that problems could arise with DNS, and here they are...
>>>
>>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has DNS
>>> SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
>>> commented it out, because was unsure sure if it was appropriate for my simple
>>> setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
>>> starting sssd, I could get no IPA data with"getent passwd" or "getent group"
>>> commands. They I uncommented it and restarted sssd, but things remained the
>>> same.
>>>
>>> Now your advice is:  "...add IP address or hostname to the option ipa_server",
>>> but you use an arbitrary name like "vm-120.eurosel.az". Could you please
>>> explain which host`s FQDN I should put there? If I use "ipa1.eurosel.az", then
>>> sssd won`t start (complains about "...Looping detected inside
>>> krb5_get_in_tkt...").
>>>
>>> If it MUST be a DNS server, then everything changes. And the question then
>>> becomes: is it possible to set up a test FreeIPA client-server interaction
>>> using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or
>>> one MUST add a third VM and make it a DNS server to facilitate client-server
>>> interaction?
>>
>> IPA theoretically can work without DNS records but it requires very careful
>> configuration on clients and is strongly discouraged.
>>
>> If you want to do quick & dirty test, do this:
>> $ ipa-server-install --setup-dns --forwarder <ip address of your *existing*
>> DNS server>
>> + specify IPA domain name which is sub-domain of you existing domain (e.g.
>> ipa.eurosel.az)
>> + change /etc/resolv.conf on *all* clients to point to IPA server
>>
>> *This is a dirty trick* and it will not work unless all your clients has the
>> IPA server in resolv.conf. It will most likely break when you try to use AD
>> trust with AD clients etc.
>>
>>
>> *In production environment* you should add NS records for ipa.eurosel.az
>> domain to the parent DNS zone to create proper delegation. In that case you
>> don't need to fiddle with resolv.conf on all clients.
>>
>> Let me know if you need further assistance.
>>
>> Petr^2 Spacek
>>
>>
>>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>>> Thanks to both of you for the interest.
>>>>> Here`s the info you asked:
>>>>>
>>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the
>>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
>>>>> located at /var/log/sssd/sssd.log is only populated with data when I make
>>>>> some errors in sssd.conf & sssd process fails to start. But that`s the case
>>>>> only if I deliberately introduce some errors; with current configuration
>>>>> sssd
>>>>> starts successfully.
>>>>>
>>>>> 2. My original sssd.conf (without debugs) is as follows (exact copy of what
>>>>> was shown in the post at FreeBSD forums):
>>>>>
>>>>> -----------------------------------------
>>>>> [domain/mydomain.com]
>>>>> cache_credentials = True
>>>>> krb5_store_password_if_offline = True
>>>>> ipa_domain = mydomain.com
>>>>> id_provider = ipa
>>>>> auth_provider = ipa
>>>>> access_provider = ipa
>>>>> ipa_hostname = ipa1.mydomain.com
>>>>> chpass_provider = ipa
>>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>>
>>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>>> '_ldap._tcp.eurosel.az'
>>>> ...
>>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not
>>>> resolved'
>>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup
>>>> meta-server), resolver returned (5)
>>>>
>>>> DNS discovery of IPA server failed, becuase you just configured few hostnames
>>>> in /etc/hosts
>>>>
>>>> You can add IP address or hostname to the option ipa_server
>>>> e.g.
>>>>      ipa_server = _srv_, vm-120.eurosel.az
>>>>
>>>> BTW In my opinion, it is better to have comment before the optiona and not on
>>>> the same line :-)
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek
-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list