[Freeipa-users] Different domain enrollment

[Dewangga Bachrul Alam]

Hello!

On 08/11/2015 01:43 PM, Alexander Bokovoy wrote:
> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I'm having problem with different hostname with primary domain on ipa
>> server. For example, my primary domain is mydomain.co.id, and then if
>> the server hostname using mydomain.co.id, the dns discover was
>> sucessfully.
>>
>> The problem come if the client hostname using different domain, for
>> example anotherdomain.com, the dns discovery was failed. Is there any
>> way to solve it? Should I enter it manually?
> Details of autodiscovery and suggestions how to configure are explained
> in the man page for ipa-client-install, section on DNS autodiscovery.

Thanks for your hints, but I have another question after read the man
pages. The best practice register client to ipa server is using --domain
or add similar DNS record?

I've tried to create new record on anotherdomain.com. (eg. original dns
record was _ldap._tcp.mydomain.co.id, and IP create new record for
_ldap._tcp.anotherdomain.com).

New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp,
_kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp,
_kerberos-master._udp, _kerberos-master._tcp".

anotherdomain.com $ ipa-client-install
Discovery was successful!
Hostname: spectre.anotherdomain.com
Realm: MYDOMAIN.CO.ID
DNS Domain: anotherdomain.com
IPA Server: ipa.anotherdomain.com
BaseDN: dc=merahciptamedia,dc=co,dc=id

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin at MERAHCIPTAMEDIA.CO.ID:
Unable to download CA cert from LDAP.
Do you want to download the CA cert from
http://ipa.anotherdomain.com/ipa/config/ca.crt?
(this is INSECURE) [no]:

Is it safe? Or just use --domain parameter?