[Freeipa-users] Host aliases in freeipa

Mon Mar 2 13:14:40 UTC 2015

On 2.3.2015 13:29, Roderick Johnstone wrote:
> On 27/02/15 20:04, Simo Sorce wrote:
>> On Fri, 2015-02-27 at 18:59 +0000, Roderick Johnstone wrote:
>>> On 27/02/15 18:33, Simo Sorce wrote:
>>>> On Fri, 2015-02-27 at 18:19 +0000, Roderick Johnstone wrote:
>>>>> Hi
>>>>>
>>>>> I'm trying to migrate of my NIS databases to freeipa and have got to the
>>>>> hosts database.
>>>>>
>>>>> In NIS a typical entry is:
>>>>> ipaddress canonical_name [aliases...]
>>>>>
>>>>> but I don't see how to enter the ipaddress or aliases using the ipa
>>>>> host-* commands. Is that possible?
>>>>>
>>>>> Maybe this is supposed to be done with the ipa dns commands, but I don't
>>>>> want freeipa to control the dns as we have an existing external dns
>>>>> infrastructure to fit into.
>>>>>
>>>>> How should I configure freeipa to do host lookups for aliases like NIS does?
>>>>
>>>> While NIS supports hosts maps, FreeIPA strongly encourages the use of
>>>> DNS, as such we do not have direct means of providing or querying hosts
>>>> maps.
>>>>
>>>> Simo.
>>>>
>>>>
>>>
>>>
>>> ok so I have to see how we can run the freeipa servers as dns servers
>>> alongside the corporate servers for our domain.
>>>
>>> I'm not sure how to proceed since I've no idea what the issues could be.
>>> Can you give me any hints or point to any docs?
>>
>> Is the problem that you cannot add entries to the corporate DNS server ?
>>
>> It is recommended to have a delegation or at least forwarding between
>> name servers to avoid headaches.
>>
>> Simo.
>>
> 
> Simo
> 
> Thanks for your response. We do have delegated access to update to the DNS for
> our domain and also run a couple of name servers ourselves.
> 
> The problem is really my ignorance of what any issues might be with having ipa
> manage more name servers in our domain which contains many hosts that will not
> ipa managed.
> 
> We already have a DNS infrastructure and I have seen the "Benefits of
> integrated DNS" section at http://www.freeipa.org/page/DNS. With regard to
> each bullet point number, my comments and queries are:
> 
> 1) Our clients will have static addresses so this doesn't seem relevant in our
> case.
> 
> 2) In my current testing setup we don't have SRV records because DNS is not
> managed by ipa and ipa seems to work ok.
> 
> I guess we will need to add SRV records to our DNS manually when we bring on
> line some ipa server replicas, so there could be a win here although I
> wouldn't anticipate the replicas changing much, so maybe this is a one-off
> manual setup without ipa managing DNS. Did I understand this correctly?

Well, SRV records should be *always* present. It is possible to make it work
without them (as you did) but AFAIK such setup not tested by us and is not
supported (in RHEL).

Also, by manual configuration you are losing things like failover between
replicas / ability to add-remove replicas at will without client reconfiguration.

Please note that you can add SRV records to your DNS servers without any need
to introduce IPA DNS servers.

> 3) We do not have any AD to trust, at least for the forseeable future so this
> does not seem relevant in our sitution.
> 
> 4) I'm not sure about this one. Things seem to work at the moment. Is this
> again about managing the records more easily when we bring on line replica
> servers?

Yes. IPA DNS servers bring convenience but it is not mandatory in any way
(especially if you do not want to use dynamic updates).

> Thanks for any clarification or pointers to docs or discussion that you can
> offer.

Have a nice day!

-- 
Petr^2 Spacek