[Freeipa-users] Different domain enrollment

Dewangga Bachrul Alam dewanggaba at xtremenitro.org
Wed Aug 12 12:20:54 UTC 2015 

Hello!

On 08/11/2015 06:25 PM, Alexander Bokovoy wrote:
> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 08/11/2015 01:43 PM, Alexander Bokovoy wrote:
>>> On Tue, 11 Aug 2015, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> I'm having problem with different hostname with primary domain on ipa
>>>> server. For example, my primary domain is mydomain.co.id, and then if
>>>> the server hostname using mydomain.co.id, the dns discover was
>>>> sucessfully.
>>>>
>>>> The problem come if the client hostname using different domain, for
>>>> example anotherdomain.com, the dns discovery was failed. Is there any
>>>> way to solve it? Should I enter it manually?
>>> Details of autodiscovery and suggestions how to configure are explained
>>> in the man page for ipa-client-install, section on DNS autodiscovery.
>>
>> Thanks for your hints, but I have another question after read the man
>> pages. The best practice register client to ipa server is using --domain
>> or add similar DNS record?
> You still would need _kerberos TXT record for runtime Kerberos realm
> detection unless your krb5.conf would contain domain_realms entry for
> your DNS domain.
> 
> Using --domain option is, of course, easy.
> 
> 
Yes, using --domain is very easy.
>> I've tried to create new record on anotherdomain.com. (eg. original dns
>> record was _ldap._tcp.mydomain.co.id, and IP create new record for
>> _ldap._tcp.anotherdomain.com).
>>
>> New dns record on anotherdomain.com is "_ldap._tcp, _ntp._udp,
>> _kpasswd._udp, _kpasswd._tcp, _kerberos._udp, _kerberos._tcp,
>> _kerberos-master._udp, _kerberos-master._tcp".
>>
>> anotherdomain.com $ ipa-client-install
>> Discovery was successful!
>> Hostname: spectre.anotherdomain.com
>> Realm: MYDOMAIN.CO.ID
>> DNS Domain: anotherdomain.com
>> IPA Server: ipa.anotherdomain.com
>> BaseDN: dc=merahciptamedia,dc=co,dc=id
>>
>> Continue to configure the system with these values? [no]: yes
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>> Please check that 123 UDP port is opened.
>> User authorized to enroll computers: admin
>> Password for admin at MERAHCIPTAMEDIA.CO.ID:
>> Unable to download CA cert from LDAP.
>> Do you want to download the CA cert from
>> http://ipa.anotherdomain.com/ipa/config/ca.crt?
>> (this is INSECURE) [no]:
>>
>> Is it safe? Or just use --domain parameter?
> I don't think 'Unable to download CA cert from LDAP' is connected to the
> problem you have but you should be able to see what was the issue in
> /var/log/ipaclient-install.log.
> 
I think the client can't download the ca cert from LDAP because ca.crt
was registered on mydomain.co.id (not anotherdomain.com). For the
flexibility and my limited knowledge, it is better to use --domain (for
now) :D

More information about the Freeipa-users mailing list