[Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS
dbischof at hrz.uni-kassel.de
dbischof at hrz.uni-kassel.de
Tue Jan 20 15:37:50 UTC 2015
Rob,
On Mon, 19 Jan 2015, rob.harper at stfc.ac.uk wrote:
> I have successfully set up a test FreeIPA server and run it for a while,
> but the time has come to move towards a production service. I am
> currently running ipa-server version 3.0.0-25 on Scientific Linux 6.4
> (if you don't know it, Scientific Linux is basically a rebuild of
> RedHat, much like CentOS). Yes, I know this is an older FreeIPA, but I
> am going through the path of least resistance given our site's current
> standard configuration.
>
> On our site there is a central DNS service and it is unlikely we will be
> allowed to run our own DNS service (other than as a slave/cacheing NS).
>
> I have been trying to set up SRV records for the FreeIPA server by
> providing the autogenerated zone file to our DNS manager, who has
> incorporated the configuration. When we deployed these changes, I used
> dig to confirm that SRV queries were giving appropriate responses, which
> they appear to be.
>
> I then tried setting up a client using ipa-client-install and got an
> error:
>
> Failed to verify that freeipa01.<munged.domain> is an IPA Server. This
> may mean that the remote server is not up or is not reachable due to
> network or firewall settings.
>
> The install worked on a client before deploying the SRV records, using
> manual specification of the server. I disabled iptables on the server
> to eliminate potential problems there, and got the same result. If we
> disable the SRV records, I am able to do the manual set-up again.
>
> So it looks like the problem is at the DNS end of things, so maybe our
> zone configuration is missing something.
>
> The zone config we currently have in place is as follows (we changed
> hostnames in the sample file to fqdns for this attempt, but the same
> symptoms came from bare hostnames)...
>
> ; ldap servers
> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
> ;
> ; kerberos realm
> _kerberos.my.domain. IN TXT my.domain.
this looks odd to me, our central DNS TXT record zone entry looks like
---
_kerberos 86400 IN TXT "MY.DOMAIN"
---
where "MY.DOMAIN" is my Kerberos realm (usually the domain name in capital
letters).
If you do a
---
dig +short -t TXT _kerberos.my.domain
---
it should answer
---
"MY.DOMAIN"
---
> ;
> ; kerberos servers
> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
> ;
> ; ntp server
> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
>
>
> ...So that is where I am. I was hoping that someone could give me a
> pointer or two as to how I might debug this problem and actually get
> service discovery working.
Mit freundlichen Gruessen/With best regards,
--Daniel.
More information about the Freeipa-users
mailing list