[Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS
rob.harper at stfc.ac.uk
rob.harper at stfc.ac.uk
Tue Jan 20 15:20:52 UTC 2015
Hi Petr,
Thanks for the reply.
I wrote:
<snip>
> > I have been trying to set up SRV records for the FreeIPA server by
> providing the autogenerated zone file to our DNS manager, who has
> incorporated the configuration. When we deployed these changes, I used
> dig to confirm that SRV queries were giving appropriate responses, which
> they appear to be.
> >
> > I then tried setting up a client using ipa-client-install and got an error:
> >
> > Failed to verify that freeipa01.<munged.domain> is an IPA Server.
> > This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.
<snip>
> > The zone config we currently have in place is as follows (we changed
> hostnames in the sample file to fqdns for this attempt, but the same
> symptoms came from bare hostnames)...
> >
> > ; ldap servers
> > _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
> > ;
> > ; kerberos realm
> > _kerberos.my.domain. IN TXT my.domain.
> > ;
> > ; kerberos servers
> > _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> > _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> > _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> > _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> > _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> > _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> > ;
> > ; ntp server
> > _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
Petr wrote:
> Interesting. Please provide us with information listed on
> http://www.freeipa.org/page/Troubleshooting#Client_Installation
OK, log file attached.
> Additionally not-obfuscated output from dig could help too.
Transcript of some dig commands attached (script output edited to clear up control characters).
> Also, please keep in mind that:
> 1) Log obfuscation will make debugging harder for us.
> 2) Obfuscating DNS names does not bring any real security.
>
> Did you read your e-mail headers? DNS domain EXCHMBX01.fed.cclrc.ac.uk is
> in there ...
Point taken, I won't do that again. :)
And thanks again.
Rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipaclient-install.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150120/b0b96acc/attachment.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dig_queries
Type: application/octet-stream
Size: 9188 bytes
Desc: dig_queries
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150120/b0b96acc/attachment.obj>
More information about the Freeipa-users
mailing list