[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Tue Oct 14 12:58:41 UTC 2014

So which way do I go?
1) Change the server VM`s hostname from "ipa1.eurosel.az" to 
"ipa1.ipa.eurosel.az" prior to issuing IPA installation command
2) or leave my hostname and contents of /etc/hosts file intact and 
specify a different FQDN and domain part of the IPA server after issuing 
IPA installation command?
Yes, I know - this is a question Homer Simpson would ask.

14-Oct-14 17:43, Petr Spacek пишет:
> On 14.10.2014 13:48, Orkhan Gasimov wrote:
>> I need further assistance with this moment:
>> "specify IPA domain name which is sub-domain of you existing domain 
>> (e.g.
>> ipa.eurosel.az) ".
>> Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
>> hostname is bsd1.eurosel.az.
>> So when running this command:
>> "ipa-server-install --setup-dns --forwarder <ip address of your 
>> *existing* DNS
>> server>",
>> the installation program detects the hostname of the VM 
>> (ipa1.eurosel.az) and
>> offers it as IPA server FQDN;
>> then it offers "eurosel.az" as the domain name. I can make changes right
>> during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
>> ipa.eurosel.az), but then there will be a conflict with the real 
>> hostname and
>> records in the /etc/hosts file.
>> On the other hand, if I change the hostname of the server VM to
>> "ipa1.ipa.eurosel.az" prior to running the IPA installation program, 
>> then the
>> installation program will offer my server an FQDN of 
>> "ipa1.ipa.eurosel.az" and
>> a domain name of "ipa.eurosel.az". But doesn`t it mean that my client`s
>> hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to 
>> avoid
>> this, because in production I won`t be able to change the domain part 
>> of FQDN
>> for hundreds of clients.
> Clients don't need to be in the same domain as IPA. The IPA domain in 
> DNS is necessary to store 'metadata' like SRV and TXT records etc.
> You can even experiment with IPA servers which are not in the IPA 
> domain but I'm not sure how much it was tested.
> Alexander can add more details about records required for AD 
> integration and how it should work with clients which are not in the 
> IPA domain.
> Petr^2 Spacek
>> 14-Oct-14 16:29, Petr Spacek пишет:
>>> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>>>> I suspected that problems could arise with DNS, and here they are...
>>>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA 
>>>> server has DNS
>>>> SRV entries" was taken as-is from the how-to on FreeBSD forums. 
>>>> First I
>>>> commented it out, because was unsure sure if it was appropriate for 
>>>> my simple
>>>> setup with just 2 VMs and and a bunch of records in /etc/hosts 
>>>> file. After
>>>> starting sssd, I could get no IPA data with"getent passwd" or 
>>>> "getent group"
>>>> commands. They I uncommented it and restarted sssd, but things 
>>>> remained the
>>>> same.
>>>> Now your advice is:  "...add IP address or hostname to the option 
>>>> ipa_server",
>>>> but you use an arbitrary name like "vm-120.eurosel.az". Could you 
>>>> please
>>>> explain which host`s FQDN I should put there? If I use 
>>>> "ipa1.eurosel.az", then
>>>> sssd won`t start (complains about "...Looping detected inside
>>>> krb5_get_in_tkt...").
>>>> If it MUST be a DNS server, then everything changes. And the 
>>>> question then
>>>> becomes: is it possible to set up a test FreeIPA client-server 
>>>> interaction
>>>> using only 2 VMs and proper records in /etc/hosts instead of a DNS 
>>>> server? Or
>>>> one MUST add a third VM and make it a DNS server to facilitate 
>>>> client-server
>>>> interaction?
>>> IPA theoretically can work without DNS records but it requires very 
>>> careful
>>> configuration on clients and is strongly discouraged.
>>> If you want to do quick & dirty test, do this:
>>> $ ipa-server-install --setup-dns --forwarder <ip address of your 
>>> *existing*
>>> DNS server>
>>> + specify IPA domain name which is sub-domain of you existing domain 
>>> (e.g.
>>> ipa.eurosel.az)
>>> + change /etc/resolv.conf on *all* clients to point to IPA server
>>> *This is a dirty trick* and it will not work unless all your clients 
>>> has the
>>> IPA server in resolv.conf. It will most likely break when you try to 
>>> use AD
>>> trust with AD clients etc.
>>> *In production environment* you should add NS records for 
>>> ipa.eurosel.az
>>> domain to the parent DNS zone to create proper delegation. In that 
>>> case you
>>> don't need to fiddle with resolv.conf on all clients.
>>> Let me know if you need further assistance.
>>> Petr^2 Spacek
>>>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>>>> Thanks to both of you for the interest.
>>>>>> Here`s the info you asked:
>>>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss] 
>>>>>> section of the
>>>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The 
>>>>>> log file
>>>>>> located at /var/log/sssd/sssd.log is only populated with data 
>>>>>> when I make
>>>>>> some errors in sssd.conf & sssd process fails to start. But 
>>>>>> that`s the case
>>>>>> only if I deliberately introduce some errors; with current 
>>>>>> configuration
>>>>>> sssd
>>>>>> starts successfully.
>>>>>> 2. My original sssd.conf (without debugs) is as follows (exact 
>>>>>> copy of what
>>>>>> was shown in the post at FreeBSD forums):
>>>>>> -----------------------------------------
>>>>>> [domain/mydomain.com]
>>>>>> cache_credentials = True
>>>>>> krb5_store_password_if_offline = True
>>>>>> ipa_domain = mydomain.com
>>>>>> id_provider = ipa
>>>>>> auth_provider = ipa
>>>>>> access_provider = ipa
>>>>>> ipa_hostname = ipa1.mydomain.com
>>>>>> chpass_provider = ipa
>>>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>>>> '_ldap._tcp.eurosel.az'
>>>>> ...
>>>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not 
>>>>> found]
>>>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service 
>>>>> 'IPA' as 'not
>>>>> resolved'
>>>>> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV 
>>>>> lookup
>>>>> meta-server), resolver returned (5)
>>>>> DNS discovery of IPA server failed, becuase you just configured 
>>>>> few hostnames
>>>>> in /etc/hosts
>>>>> You can add IP address or hostname to the option ipa_server
>>>>> e.g.
>>>>>      ipa_server = _srv_, vm-120.eurosel.az
>>>>> BTW In my opinion, it is better to have comment before the optiona 
>>>>> and not on
>>>>> the same line :-)

More information about the Freeipa-users mailing list