[Freeipa-users] Different domain enrollment

Alexander Bokovoy abokovoy at redhat.com
Tue Aug 11 11:25:14 UTC 2015 

On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote:
>Hello!
>
>On 08/11/2015 01:43 PM, Alexander Bokovoy wrote:
>> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> I'm having problem with different hostname with primary domain on ipa
>>> server. For example, my primary domain is mydomain.co.id, and then if
>>> the server hostname using mydomain.co.id, the dns discover was
>>> sucessfully.
>>>
>>> The problem come if the client hostname using different domain, for
>>> example anotherdomain.com, the dns discovery was failed. Is there any
>>> way to solve it? Should I enter it manually?
>> Details of autodiscovery and suggestions how to configure are explained
>> in the man page for ipa-client-install, section on DNS autodiscovery.
>
>Thanks for your hints, but I have another question after read the man
>pages. The best practice register client to ipa server is using --domain
>or add similar DNS record?
You still would need _kerberos TXT record for runtime Kerberos realm
detection unless your krb5.conf would contain domain_realms entry for
your DNS domain.

Using --domain option is, of course, easy.


>I've tried to create new record on anotherdomain.com. (eg. original dns
>record was _ldap._tcp.mydomain.co.id, and IP create new record for
>_ldap._tcp.anotherdomain.com).
>
>New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp,
>_kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp,
>_kerberos-master._udp, _kerberos-master._tcp".
>
>anotherdomain.com $ ipa-client-install
>Discovery was successful!
>Hostname: spectre.anotherdomain.com
>Realm: MYDOMAIN.CO.ID
>DNS Domain: anotherdomain.com
>IPA Server: ipa.anotherdomain.com
>BaseDN: dc=merahciptamedia,dc=co,dc=id
>
>Continue to configure the system with these values? [no]: yes
>Synchronizing time with KDC...
>Unable to sync time with IPA NTP server, assuming the time is in sync.
>Please check that 123 UDP port is opened.
>User authorized to enroll computers: admin
>Password for admin at MERAHCIPTAMEDIA.CO.ID:
>Unable to download CA cert from LDAP.
>Do you want to download the CA cert from
>http://ipa.anotherdomain.com/ipa/config/ca.crt?
>(this is INSECURE) [no]:
>
>Is it safe? Or just use --domain parameter?
I don't think 'Unable to download CA cert from LDAP' is connected to the
problem you have but you should be able to see what was the issue in
/var/log/ipaclient-install.log.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list