[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Alexander Bokovoy abokovoy at redhat.com
Tue Oct 14 13:06:02 UTC 2014 

On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
>So which way do I go?
>1) Change the server VM`s hostname from "ipa1.eurosel.az" to 
>"ipa1.ipa.eurosel.az" prior to issuing IPA installation command
>2) or leave my hostname and contents of /etc/hosts file intact and 
>specify a different FQDN and domain part of the IPA server after 
>issuing IPA installation command?
>Yes, I know - this is a question Homer Simpson would ask.
Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with
integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
IPA.EUROSEL.AZ.

If you want later to see how this setup scales, all you would need to do
is to make sure the other clients would use ipa1.ipa.eurosel.az as a
resolver.

>
>
>14-Oct-14 17:43, Petr Spacek пишет:
>>On 14.10.2014 13:48, Orkhan Gasimov wrote:
>>>I need further assistance with this moment:
>>>"specify IPA domain name which is sub-domain of you existing 
>>>domain (e.g.
>>>ipa.eurosel.az) ".
>>>
>>>Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's
>>>hostname is bsd1.eurosel.az.
>>>So when running this command:
>>>
>>>"ipa-server-install --setup-dns --forwarder <ip address of your 
>>>*existing* DNS
>>>server>",
>>>
>>>the installation program detects the hostname of the VM 
>>>(ipa1.eurosel.az) and
>>>offers it as IPA server FQDN;
>>>then it offers "eurosel.az" as the domain name. I can make changes right
>>>during the installation process (FQDN = ipa1.ipa.eurosel.az & domain =
>>>ipa.eurosel.az), but then there will be a conflict with the real 
>>>hostname and
>>>records in the /etc/hosts file.
>>>
>>>On the other hand, if I change the hostname of the server VM to
>>>"ipa1.ipa.eurosel.az" prior to running the IPA installation 
>>>program, then the
>>>installation program will offer my server an FQDN of 
>>>"ipa1.ipa.eurosel.az" and
>>>a domain name of "ipa.eurosel.az". But doesn`t it mean that my client`s
>>>hostname should also be changed to bsd1.ipa.eurosel.az? I`d like 
>>>to avoid
>>>this, because in production I won`t be able to change the domain 
>>>part of FQDN
>>>for hundreds of clients.
>>
>>Clients don't need to be in the same domain as IPA. The IPA domain 
>>in DNS is necessary to store 'metadata' like SRV and TXT records 
>>etc.
>>
>>You can even experiment with IPA servers which are not in the IPA 
>>domain but I'm not sure how much it was tested.
>>
>>Alexander can add more details about records required for AD 
>>integration and how it should work with clients which are not in the 
>>IPA domain.
>>
>>Petr^2 Spacek
>>
>>>
>>>14-Oct-14 16:29, Petr Spacek пишет:
>>>>On 14.10.2014 11:49, Orkhan Gasimov wrote:
>>>>>I suspected that problems could arise with DNS, and here they are...
>>>>>
>>>>>In fact, this entire string: "ipa_server = _srv_ #our FreeIPA 
>>>>>server has DNS
>>>>>SRV entries" was taken as-is from the how-to on FreeBSD 
>>>>>forums. First I
>>>>>commented it out, because was unsure sure if it was 
>>>>>appropriate for my simple
>>>>>setup with just 2 VMs and and a bunch of records in /etc/hosts 
>>>>>file. After
>>>>>starting sssd, I could get no IPA data with"getent passwd" or 
>>>>>"getent group"
>>>>>commands. They I uncommented it and restarted sssd, but things 
>>>>>remained the
>>>>>same.
>>>>>
>>>>>Now your advice is:  "...add IP address or hostname to the 
>>>>>option ipa_server",
>>>>>but you use an arbitrary name like "vm-120.eurosel.az". Could 
>>>>>you please
>>>>>explain which host`s FQDN I should put there? If I use 
>>>>>"ipa1.eurosel.az", then
>>>>>sssd won`t start (complains about "...Looping detected inside
>>>>>krb5_get_in_tkt...").
>>>>>
>>>>>If it MUST be a DNS server, then everything changes. And the 
>>>>>question then
>>>>>becomes: is it possible to set up a test FreeIPA client-server 
>>>>>interaction
>>>>>using only 2 VMs and proper records in /etc/hosts instead of a 
>>>>>DNS server? Or
>>>>>one MUST add a third VM and make it a DNS server to facilitate 
>>>>>client-server
>>>>>interaction?
>>>>
>>>>IPA theoretically can work without DNS records but it requires 
>>>>very careful
>>>>configuration on clients and is strongly discouraged.
>>>>
>>>>If you want to do quick & dirty test, do this:
>>>>$ ipa-server-install --setup-dns --forwarder <ip address of your 
>>>>*existing*
>>>>DNS server>
>>>>+ specify IPA domain name which is sub-domain of you existing 
>>>>domain (e.g.
>>>>ipa.eurosel.az)
>>>>+ change /etc/resolv.conf on *all* clients to point to IPA server
>>>>
>>>>*This is a dirty trick* and it will not work unless all your 
>>>>clients has the
>>>>IPA server in resolv.conf. It will most likely break when you 
>>>>try to use AD
>>>>trust with AD clients etc.
>>>>
>>>>
>>>>*In production environment* you should add NS records for 
>>>>ipa.eurosel.az
>>>>domain to the parent DNS zone to create proper delegation. In 
>>>>that case you
>>>>don't need to fiddle with resolv.conf on all clients.
>>>>
>>>>Let me know if you need further assistance.
>>>>
>>>>Petr^2 Spacek
>>>>
>>>>
>>>>>14-Oct-14 12:58, Lukas Slebodnik пишет:
>>>>>>On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>>>>>Thanks to both of you for the interest.
>>>>>>>Here`s the info you asked:
>>>>>>>
>>>>>>>1. Putting "debug_level = 7" either in [domain] or/and 
>>>>>>>[nss] section of the
>>>>>>>/usr/local/etc/sssd/sssd.conf file gives nothing in the 
>>>>>>>log. The log file
>>>>>>>located at /var/log/sssd/sssd.log is only populated with 
>>>>>>>data when I make
>>>>>>>some errors in sssd.conf & sssd process fails to start. 
>>>>>>>But that`s the case
>>>>>>>only if I deliberately introduce some errors; with current 
>>>>>>>configuration
>>>>>>>sssd
>>>>>>>starts successfully.
>>>>>>>
>>>>>>>2. My original sssd.conf (without debugs) is as follows 
>>>>>>>(exact copy of what
>>>>>>>was shown in the post at FreeBSD forums):
>>>>>>>
>>>>>>>-----------------------------------------
>>>>>>>[domain/mydomain.com]
>>>>>>>cache_credentials = True
>>>>>>>krb5_store_password_if_offline = True
>>>>>>>ipa_domain = mydomain.com
>>>>>>>id_provider = ipa
>>>>>>>auth_provider = ipa
>>>>>>>access_provider = ipa
>>>>>>>ipa_hostname = ipa1.mydomain.com
>>>>>>>chpass_provider = ipa
>>>>>>>ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>>>>
>>>>>>[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>>>>>'_ldap._tcp.eurosel.az'
>>>>>>...
>>>>>>[resolve_srv_done] (0x0020): SRV query failed: [Domain name 
>>>>>>not found]
>>>>>>[set_srv_data_status] (0x0100): Marking SRV lookup of 
>>>>>>service 'IPA' as 'not
>>>>>>resolved'
>>>>>>[be_resolve_server_process] (0x0080): Couldn't resolve 
>>>>>>server (SRV lookup
>>>>>>meta-server), resolver returned (5)
>>>>>>
>>>>>>DNS discovery of IPA server failed, becuase you just 
>>>>>>configured few hostnames
>>>>>>in /etc/hosts
>>>>>>
>>>>>>You can add IP address or hostname to the option ipa_server
>>>>>>e.g.
>>>>>>     ipa_server = _srv_, vm-120.eurosel.az
>>>>>>
>>>>>>BTW In my opinion, it is better to have comment before the 
>>>>>>optiona and not on
>>>>>>the same line :-)
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go To http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list