[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Petr Spacek pspacek at redhat.com
Tue Oct 14 18:42:47 UTC 2014

On 14.10.2014 15:06, Alexander Bokovoy wrote:
> On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
>> So which way do I go?
>> 1) Change the server VM`s hostname from "ipa1.eurosel.az" to
>> "ipa1.ipa.eurosel.az" prior to issuing IPA installation command
>> 2) or leave my hostname and contents of /etc/hosts file intact and specify a
>> different FQDN and domain part of the IPA server after issuing IPA
>> installation command?
>> Yes, I know - this is a question Homer Simpson would ask.
> Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with
> integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
> If you want later to see how this setup scales, all you would need to do
> is to make sure the other clients would use ipa1.ipa.eurosel.az as a
> resolver.

Again - in production it is unnecessary to change resolv.conf if you have 
proper NS records in place.

Petr^2 Spacek

>> 14-Oct-14 17:43, Petr Spacek пишет:
>>> On 14.10.2014 13:48, Orkhan Gasimov wrote:
>>>> I need further assistance with this moment:
>>>> "specify IPA domain name which is sub-domain of you existing domain (e.g.
>>>> ipa.eurosel.az) ".
>>>> Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
>>>> hostname is bsd1.eurosel.az.
>>>> So when running this command:
>>>> "ipa-server-install --setup-dns --forwarder <ip address of your *existing*
>>>> DNS
>>>> server>",
>>>> the installation program detects the hostname of the VM (ipa1.eurosel.az) and
>>>> offers it as IPA server FQDN;
>>>> then it offers "eurosel.az" as the domain name. I can make changes right
>>>> during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
>>>> ipa.eurosel.az), but then there will be a conflict with the real hostname and
>>>> records in the /etc/hosts file.
>>>> On the other hand, if I change the hostname of the server VM to
>>>> "ipa1.ipa.eurosel.az" prior to running the IPA installation program, then the
>>>> installation program will offer my server an FQDN of "ipa1.ipa.eurosel.az"
>>>> and
>>>> a domain name of "ipa.eurosel.az". But doesn`t it mean that my client`s
>>>> hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid
>>>> this, because in production I won`t be able to change the domain part of FQDN
>>>> for hundreds of clients.
>>> Clients don't need to be in the same domain as IPA. The IPA domain in DNS
>>> is necessary to store 'metadata' like SRV and TXT records etc.
>>> You can even experiment with IPA servers which are not in the IPA domain
>>> but I'm not sure how much it was tested.
>>> Alexander can add more details about records required for AD integration
>>> and how it should work with clients which are not in the IPA domain.
>>> Petr^2 Spacek
>>>> 14-Oct-14 16:29, Petr Spacek пишет:
>>>>> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>>>>>> I suspected that problems could arise with DNS, and here they are...
>>>>>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has
>>>>>> DNS
>>>>>> SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
>>>>>> commented it out, because was unsure sure if it was appropriate for my
>>>>>> simple
>>>>>> setup with just 2 VMs and and a bunch of records in /etc/hosts file. After
>>>>>> starting sssd, I could get no IPA data with"getent passwd" or "getent
>>>>>> group"
>>>>>> commands. They I uncommented it and restarted sssd, but things remained the
>>>>>> same.
>>>>>> Now your advice is:  "...add IP address or hostname to the option
>>>>>> ipa_server",
>>>>>> but you use an arbitrary name like "vm-120.eurosel.az". Could you please
>>>>>> explain which host`s FQDN I should put there? If I use
>>>>>> "ipa1.eurosel.az", then
>>>>>> sssd won`t start (complains about "...Looping detected inside
>>>>>> krb5_get_in_tkt...").
>>>>>> If it MUST be a DNS server, then everything changes. And the question then
>>>>>> becomes: is it possible to set up a test FreeIPA client-server interaction
>>>>>> using only 2 VMs and proper records in /etc/hosts instead of a DNS
>>>>>> server? Or
>>>>>> one MUST add a third VM and make it a DNS server to facilitate
>>>>>> client-server
>>>>>> interaction?
>>>>> IPA theoretically can work without DNS records but it requires very careful
>>>>> configuration on clients and is strongly discouraged.
>>>>> If you want to do quick & dirty test, do this:
>>>>> $ ipa-server-install --setup-dns --forwarder <ip address of your *existing*
>>>>> DNS server>
>>>>> + specify IPA domain name which is sub-domain of you existing domain (e.g.
>>>>> ipa.eurosel.az)
>>>>> + change /etc/resolv.conf on *all* clients to point to IPA server
>>>>> *This is a dirty trick* and it will not work unless all your clients has the
>>>>> IPA server in resolv.conf. It will most likely break when you try to use AD
>>>>> trust with AD clients etc.
>>>>> *In production environment* you should add NS records for ipa.eurosel.az
>>>>> domain to the parent DNS zone to create proper delegation. In that case you
>>>>> don't need to fiddle with resolv.conf on all clients.
>>>>> Let me know if you need further assistance.
>>>>> Petr^2 Spacek
>>>>>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>>>>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>>>>>> Thanks to both of you for the interest.
>>>>>>>> Here`s the info you asked:
>>>>>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss] section
>>>>>>>> of the
>>>>>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
>>>>>>>> located at /var/log/sssd/sssd.log is only populated with data when I make
>>>>>>>> some errors in sssd.conf & sssd process fails to start. But that`s the
>>>>>>>> case
>>>>>>>> only if I deliberately introduce some errors; with current configuration
>>>>>>>> sssd
>>>>>>>> starts successfully.
>>>>>>>> 2. My original sssd.conf (without debugs) is as follows (exact copy of
>>>>>>>> what
>>>>>>>> was shown in the post at FreeBSD forums):
>>>>>>>> -----------------------------------------
>>>>>>>> [domain/mydomain.com]
>>>>>>>> cache_credentials = True
>>>>>>>> krb5_store_password_if_offline = True
>>>>>>>> ipa_domain = mydomain.com
>>>>>>>> id_provider = ipa
>>>>>>>> auth_provider = ipa
>>>>>>>> access_provider = ipa
>>>>>>>> ipa_hostname = ipa1.mydomain.com
>>>>>>>> chpass_provider = ipa
>>>>>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>>>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>>>>>> '_ldap._tcp.eurosel.az'
>>>>>>> ...
>>>>>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>>>>>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as
>>>>>>> 'not
>>>>>>> resolved'
>>>>>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup
>>>>>>> meta-server), resolver returned (5)
>>>>>>> DNS discovery of IPA server failed, becuase you just configured few
>>>>>>> hostnames
>>>>>>> in /etc/hosts
>>>>>>> You can add IP address or hostname to the option ipa_server
>>>>>>> e.g.
>>>>>>>     ipa_server = _srv_, vm-120.eurosel.az
>>>>>>> BTW In my opinion, it is better to have comment before the optiona and
>>>>>>> not on
>>>>>>> the same line :-)

More information about the Freeipa-users mailing list