[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Tue Oct 14 19:40:01 UTC 2014

Ok, friends, you helped me to understand one thing. My test scenario with 2 VMs and no DNS server introduces problems with DNS resolution, which seems to be almost necessary. So now I have 2 tasks:
1) properly configure IPA server to work with DNS;
2) make a FreeBSD host (which is a "non-native" client for FreeIPA) join an IPA domain.
As problems of the first task can be errantly considered to be problems of the second task, I'll change my approach. First I'll try to set up a Fedora FreeIPA server with DNS and add a "native" Fedora FreeIPA client to it. (I guess a Fedora client:
1) should be easier to set up;
2) is guaranteed to work if configured properly.)
Then I'll try to add a FreeBSD client to my working setup and see if the post at FreeBSD forums leads to a working solution. I'll share the results with you, however it may take some time before I set up a working Fedora IPA server - Fedora IPA client setup. If you have any links to proved-to-work tutorials (either in text or video format), please share.

Отправлено от Blue Mail

На 23:47, 14.10.2014, в 23:47, Petr Spacek <pspacek at redhat.com> написал:п>On 14.10.2014 15:06, Alexander Bokovoy wrote:
>> On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
>>> So which way do I go?
>>> 1) Change the server VM`s hostname from "ipa1.eurosel.az" to
>>> "ipa1.ipa.eurosel.az" prior to issuing IPA installation command
>>> 2) or leave my hostname and contents of /etc/hosts file intact and
>specify a
>>> different FQDN and domain part of the IPA server after issuing IPA
>>> installation command?
>>> Yes, I know - this is a question Homer Simpson would ask.
>> Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA
>> integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm
>> If you want later to see how this setup scales, all you would need to
>> is to make sure the other clients would use ipa1.ipa.eurosel.az as a
>> resolver.
>Again - in production it is unnecessary to change resolv.conf if you
>proper NS records in place.
>Petr^2 Spacek
>>> 14-Oct-14 17:43, Petr Spacek пишет:
>>>> On 14.10.2014 13:48, Orkhan Gasimov wrote:
>>>>> I need further assistance with this moment:
>>>>> "specify IPA domain name which is sub-domain of you existing
>domain (e.g.
>>>>> ipa.eurosel.az) ".
>>>>> Currently my FreeIPA server's hostname is ipa1.eurosel.az, and
>>>>> hostname is bsd1.eurosel.az.
>>>>> So when running this command:
>>>>> "ipa-server-install --setup-dns --forwarder <ip address of your
>>>>> DNS
>>>>> server>",
>>>>> the installation program detects the hostname of the VM
>(ipa1.eurosel.az) and
>>>>> offers it as IPA server FQDN;
>>>>> then it offers "eurosel.az" as the domain name. I can make changes
>>>>> during the installation process (FQDN = ipa1.ipa.eurosel.az &
>domain =
>>>>> ipa.eurosel.az), but then there will be a conflict with the real
>hostname and
>>>>> records in the /etc/hosts file.
>>>>> On the other hand, if I change the hostname of the server VM to
>>>>> "ipa1.ipa.eurosel.az" prior to running the IPA installation
>program, then the
>>>>> installation program will offer my server an FQDN of
>>>>> and
>>>>> a domain name of "ipa.eurosel.az". But doesn`t it mean that my
>>>>> hostname should also be changed to bsd1.ipa.eurosel.az? I`d like
>to avoid
>>>>> this, because in production I won`t be able to change the domain
>part of FQDN
>>>>> for hundreds of clients.
>>>> Clients don't need to be in the same domain as IPA. The IPA domain
>in DNS
>>>> is necessary to store 'metadata' like SRV and TXT records etc.
>>>> You can even experiment with IPA servers which are not in the IPA
>>>> but I'm not sure how much it was tested.
>>>> Alexander can add more details about records required for AD
>>>> and how it should work with clients which are not in the IPA
>>>> Petr^2 Spacek
>>>>> 14-Oct-14 16:29, Petr Spacek пишет:
>>>>>> On 14.10.2014 11:49, Orkhan Gasimov wrote:
>>>>>>> I suspected that problems could arise with DNS, and here they
>>>>>>> In fact, this entire string: "ipa_server = _srv_ #our FreeIPA
>server has
>>>>>>> DNS
>>>>>>> SRV entries" was taken as-is from the how-to on FreeBSD forums.
>First I
>>>>>>> commented it out, because was unsure sure if it was appropriate
>for my
>>>>>>> simple
>>>>>>> setup with just 2 VMs and and a bunch of records in /etc/hosts
>file. After
>>>>>>> starting sssd, I could get no IPA data with"getent passwd" or
>>>>>>> group"
>>>>>>> commands. They I uncommented it and restarted sssd, but things
>remained the
>>>>>>> same.
>>>>>>> Now your advice is:  "...add IP address or hostname to the
>>>>>>> ipa_server",
>>>>>>> but you use an arbitrary name like "vm-120.eurosel.az". Could
>you please
>>>>>>> explain which host`s FQDN I should put there? If I use
>>>>>>> "ipa1.eurosel.az", then
>>>>>>> sssd won`t start (complains about "...Looping detected inside
>>>>>>> krb5_get_in_tkt...").
>>>>>>> If it MUST be a DNS server, then everything changes. And the
>question then
>>>>>>> becomes: is it possible to set up a test FreeIPA client-server
>>>>>>> using only 2 VMs and proper records in /etc/hosts instead of a
>>>>>>> server? Or
>>>>>>> one MUST add a third VM and make it a DNS server to facilitate
>>>>>>> client-server
>>>>>>> interaction?
>>>>>> IPA theoretically can work without DNS records but it requires
>very careful
>>>>>> configuration on clients and is strongly discouraged.
>>>>>> If you want to do quick & dirty test, do this:
>>>>>> $ ipa-server-install --setup-dns --forwarder <ip address of your
>>>>>> DNS server>
>>>>>> + specify IPA domain name which is sub-domain of you existing
>domain (e.g.
>>>>>> ipa.eurosel.az)
>>>>>> + change /etc/resolv.conf on *all* clients to point to IPA server
>>>>>> *This is a dirty trick* and it will not work unless all your
>clients has the
>>>>>> IPA server in resolv.conf. It will most likely break when you try
>to use AD
>>>>>> trust with AD clients etc.
>>>>>> *In production environment* you should add NS records for
>>>>>> domain to the parent DNS zone to create proper delegation. In
>that case you
>>>>>> don't need to fiddle with resolv.conf on all clients.
>>>>>> Let me know if you need further assistance.
>>>>>> Petr^2 Spacek
>>>>>>> 14-Oct-14 12:58, Lukas Slebodnik пишет:
>>>>>>>> On (14/10/14 10:23), Orkhan Gasimov wrote:
>>>>>>>>> Thanks to both of you for the interest.
>>>>>>>>> Here`s the info you asked:
>>>>>>>>> 1. Putting "debug_level = 7" either in [domain] or/and [nss]
>>>>>>>>> of the
>>>>>>>>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log.
>The log file
>>>>>>>>> located at /var/log/sssd/sssd.log is only populated with data
>when I make
>>>>>>>>> some errors in sssd.conf & sssd process fails to start. But
>that`s the
>>>>>>>>> case
>>>>>>>>> only if I deliberately introduce some errors; with current
>>>>>>>>> sssd
>>>>>>>>> starts successfully.
>>>>>>>>> 2. My original sssd.conf (without debugs) is as follows (exact
>copy of
>>>>>>>>> what
>>>>>>>>> was shown in the post at FreeBSD forums):
>>>>>>>>> -----------------------------------------
>>>>>>>>> [domain/mydomain.com]
>>>>>>>>> cache_credentials = True
>>>>>>>>> krb5_store_password_if_offline = True
>>>>>>>>> ipa_domain = mydomain.com
>>>>>>>>> id_provider = ipa
>>>>>>>>> auth_provider = ipa
>>>>>>>>> access_provider = ipa
>>>>>>>>> ipa_hostname = ipa1.mydomain.com
>>>>>>>>> chpass_provider = ipa
>>>>>>>>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
>>>>>>>> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
>>>>>>>> '_ldap._tcp.eurosel.az'
>>>>>>>> ...
>>>>>>>> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not
>>>>>>>> [set_srv_data_status] (0x0100): Marking SRV lookup of service
>'IPA' as
>>>>>>>> 'not
>>>>>>>> resolved'
>>>>>>>> [be_resolve_server_process] (0x0080): Couldn't resolve server
>(SRV lookup
>>>>>>>> meta-server), resolver returned (5)
>>>>>>>> DNS discovery of IPA server failed, becuase you just configured
>>>>>>>> hostnames
>>>>>>>> in /etc/hosts
>>>>>>>> You can add IP address or hostname to the option ipa_server
>>>>>>>> e.g.
>>>>>>>>     ipa_server = _srv_, vm-120.eurosel.az
>>>>>>>> BTW In my opinion, it is better to have comment before the
>optiona and
>>>>>>>> not on
>>>>>>>> the same line :-)
>Manage your subscription for the Freeipa-users mailing list:
>Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141015/8f0ba39e/attachment.htm>

More information about the Freeipa-users mailing list