[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
orkhan-azeri at mail.ru
Tue Oct 14 10:54:31 UTC 2014
I`ll try such a test setup, then share information about results.
14-Oct-14 15:04, Petr Spacek пишет:
> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>> I suspected that problems could arise with DNS, and here they are...
>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server
>> has DNS
>> SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
>> commented it out, because was unsure sure if it was appropriate for
>> my simple
>> setup with just 2 VMs and and a bunch of records in /etc/hosts file.
>> starting sssd, I could get no IPA data with"getent passwd" or "getent
>> commands. They I uncommented it and restarted sssd, but things
>> remained the same.
>> Now your advice is: "...add IP address or hostname to the option
>> but you use an arbitrary name like "vm-120.eurosel.az". Could you please
>> explain which host`s FQDN I should put there? If I use
>> "ipa1.eurosel.az", then
>> sssd won`t start (complains about "...Looping detected inside
>> If it MUST be a DNS server, then everything changes. And the question
>> becomes: is it possible to set up a test FreeIPA client-server
>> using only 2 VMs and proper records in /etc/hosts instead of a DNS
>> server? Or
>> one MUST add a third VM and make it a DNS server to facilitate
> IPA theoretically can work without DNS records but it requires very
> careful configuration on clients and is strongly discouraged.
> If you want to do quick & dirty test, do this:
> $ ipa-server-install --setup-dns --forwarder <ip address of your
> *existing* DNS server>
> + specify IPA domain name which is sub-domain of you existing domain
> (e.g. ipa.eurosel.az)
> + change /etc/resolv.conf on *all* clients to point to IPA server
> *This is a dirty trick* and it will not work unless all your clients
> has the IPA server in resolv.conf. It will most likely break when you
> try to use AD trust with AD clients etc.
> *In production environment* you should add NS records for
> ipa.eurosel.az domain to the parent DNS zone to create proper
> delegation. In that case you don't need to fiddle with resolv.conf on
> all clients.
> Let me know if you need further assistance.
> Petr^2 Spacek
>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>> Thanks to both of you for the interest.
>>>> Here`s the info you asked:
>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss]
>>>> section of the
>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The
>>>> log file
>>>> located at /var/log/sssd/sssd.log is only populated with data when
>>>> I make
>>>> some errors in sssd.conf & sssd process fails to start. But that`s
>>>> the case
>>>> only if I deliberately introduce some errors; with current
>>>> configuration sssd
>>>> starts successfully.
>>>> 2. My original sssd.conf (without debugs) is as follows (exact copy
>>>> of what
>>>> was shown in the post at FreeBSD forums):
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = mydomain.com
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = ipa1.mydomain.com
>>>> chpass_provider = ipa
>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA'
>>> as 'not
>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
>>> meta-server), resolver returned (5)
>>> DNS discovery of IPA server failed, becuase you just configured few
>>> in /etc/hosts
>>> You can add IP address or hostname to the option ipa_server
>>> ipa_server = _srv_, vm-120.eurosel.az
>>> BTW In my opinion, it is better to have comment before the optiona
>>> and not on
>>> the same line :-)
More information about the Freeipa-users