[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
orkhan-azeri at mail.ru
Tue Oct 14 11:48:28 UTC 2014
I need further assistance with this moment:
"specify IPA domain name which is sub-domain of you existing domain
(e.g. ipa.eurosel.az) ".
Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
hostname is bsd1.eurosel.az.
So when running this command:
"ipa-server-install --setup-dns --forwarder <ip address of your
*existing* DNS server>",
the installation program detects the hostname of the VM
(ipa1.eurosel.az) and offers it as IPA server FQDN;
then it offers "eurosel.az" as the domain name. I can make changes right
during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
ipa.eurosel.az), but then there will be a conflict with the real
hostname and records in the /etc/hosts file.
On the other hand, if I change the hostname of the server VM to
"ipa1.ipa.eurosel.az" prior to running the IPA installation program,
then the installation program will offer my server an FQDN of
"ipa1.ipa.eurosel.az" and a domain name of "ipa.eurosel.az". But doesn`t
it mean that my client`s hostname should also be changed to
bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I
won`t be able to change the domain part of FQDN for hundreds of clients.
Please don`t hesitate to explain a little clearer.
14-Oct-14 16:29, Petr Spacek пишет:
> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>> I suspected that problems could arise with DNS, and here they are...
>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server
>> has DNS
>> SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
>> commented it out, because was unsure sure if it was appropriate for
>> my simple
>> setup with just 2 VMs and and a bunch of records in /etc/hosts file.
>> starting sssd, I could get no IPA data with"getent passwd" or "getent
>> commands. They I uncommented it and restarted sssd, but things
>> remained the same.
>> Now your advice is: "...add IP address or hostname to the option
>> but you use an arbitrary name like "vm-120.eurosel.az". Could you please
>> explain which host`s FQDN I should put there? If I use
>> "ipa1.eurosel.az", then
>> sssd won`t start (complains about "...Looping detected inside
>> If it MUST be a DNS server, then everything changes. And the question
>> becomes: is it possible to set up a test FreeIPA client-server
>> using only 2 VMs and proper records in /etc/hosts instead of a DNS
>> server? Or
>> one MUST add a third VM and make it a DNS server to facilitate
> IPA theoretically can work without DNS records but it requires very
> careful configuration on clients and is strongly discouraged.
> If you want to do quick & dirty test, do this:
> $ ipa-server-install --setup-dns --forwarder <ip address of your
> *existing* DNS server>
> + specify IPA domain name which is sub-domain of you existing domain
> (e.g. ipa.eurosel.az)
> + change /etc/resolv.conf on *all* clients to point to IPA server
> *This is a dirty trick* and it will not work unless all your clients
> has the IPA server in resolv.conf. It will most likely break when you
> try to use AD trust with AD clients etc.
> *In production environment* you should add NS records for
> ipa.eurosel.az domain to the parent DNS zone to create proper
> delegation. In that case you don't need to fiddle with resolv.conf on
> all clients.
> Let me know if you need further assistance.
> Petr^2 Spacek
>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>> Thanks to both of you for the interest.
>>>> Here`s the info you asked:
>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss]
>>>> section of the
>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The
>>>> log file
>>>> located at /var/log/sssd/sssd.log is only populated with data when
>>>> I make
>>>> some errors in sssd.conf & sssd process fails to start. But that`s
>>>> the case
>>>> only if I deliberately introduce some errors; with current
>>>> configuration sssd
>>>> starts successfully.
>>>> 2. My original sssd.conf (without debugs) is as follows (exact copy
>>>> of what
>>>> was shown in the post at FreeBSD forums):
>>>> cache_credentials = True
>>>> krb5_store_password_if_offline = True
>>>> ipa_domain = mydomain.com
>>>> id_provider = ipa
>>>> auth_provider = ipa
>>>> access_provider = ipa
>>>> ipa_hostname = ipa1.mydomain.com
>>>> chpass_provider = ipa
>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA'
>>> as 'not
>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
>>> meta-server), resolver returned (5)
>>> DNS discovery of IPA server failed, becuase you just configured few
>>> in /etc/hosts
>>> You can add IP address or hostname to the option ipa_server
>>> ipa_server = _srv_, vm-120.eurosel.az
>>> BTW In my opinion, it is better to have comment before the optiona
>>> and not on
>>> the same line :-)
More information about the Freeipa-users