[Freeipa-users] Having trouble running FreeIPA with SRV records on externally managed DNS
Petr Spacek
pspacek at redhat.com
Thu Jan 22 13:55:52 UTC 2015
On 22.1.2015 10:44, rob.harper at stfc.ac.uk wrote:
> Hi,
>
> Many thanks to everyone who offered advice on this. My problem appears to be fixed.
>
> My solution was to change the TXT record defining the Kerberos realm to ensure the realm name was in upper case, in quotes, and did not have a trailing period:
> _kerberos.my.domain. IN TXT "GRIDPP.RL.AC.UK"
>
> I'm not sure which of these changes was the critical one (maybe all!), but the upshot is that I can now enrol clients using service discovery.
BTW new version of ipa-client-install will give you more specific error
message if DNS realm and LDAP realm does not match.
Petr^2 Spacek
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of rob.harper at stfc.ac.uk
>> Sent: 19 January 2015 15:54
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on
>> externally managed DNS
>>
>> Hi all,
>>
>> I have successfully set up a test FreeIPA server and run it for a while, but the
>> time has come to move towards a production service. I am currently running
>> ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it,
>> Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I
>> know this is an older FreeIPA, but I am going through the path of least
>> resistance given our site's current standard configuration.
>>
>> On our site there is a central DNS service and it is unlikely we will be allowed
>> to run our own DNS service (other than as a slave/cacheing NS).
>>
>> I have been trying to set up SRV records for the FreeIPA server by providing
>> the autogenerated zone file to our DNS manager, who has incorporated the
>> configuration. When we deployed these changes, I used dig to confirm that
>> SRV queries were giving appropriate responses, which they appear to be.
>>
>> I then tried setting up a client using ipa-client-install and got an error:
>>
>> Failed to verify that freeipa01.<munged.domain> is an IPA Server.
>> This may mean that the remote server is not up or is not reachable due to
>> network or firewall settings.
>>
>> The install worked on a client before deploying the SRV records, using
>> manual specification of the server. I disabled iptables on the server to
>> eliminate potential problems there, and got the same result. If we disable
>> the SRV records, I am able to do the manual set-up again.
>>
>> So it looks like the problem is at the DNS end of things, so maybe our zone
>> configuration is missing something.
>>
>> The zone config we currently have in place is as follows (we changed
>> hostnames in the sample file to fqdns for this attempt, but the same
>> symptoms came from bare hostnames)...
>>
>> ; ldap servers
>> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain.
>> ;
>> ; kerberos realm
>> _kerberos.my.domain. IN TXT my.domain.
>> ;
>> ; kerberos servers
>> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
>> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
>> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
>> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain.
>> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
>> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain.
>> ;
>> ; ntp server
>> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain.
>>
>>
>> ...So that is where I am. I was hoping that someone could give me a pointer
>> or two as to how I might debug this problem and actually get service
>> discovery working.
>>
>> Many thanks for reading this far!
>>
>> Rob
More information about the Freeipa-users
mailing list