[Freeipa-users] Setup of SRV records for new domains
Brian Topping
brian.topping at gmail.com
Mon May 4 12:59:55 UTC 2015
Ah, thanks! I see what's going on now. That helps a lot.
I think what I was missing was the reluctance for IPA to serve domains that are not proper TLDs. I generally maintain internal security domains with an invented TLD since they are secure by definition. When I tried that today, it was unable to auto discover on this domain and I attributed it to the lack of SRV records.
Thanks for setting me straight!
Brian
> On May 4, 2015, at 3:43 PM, Petr Spacek <pspacek at redhat.com> wrote:
>
> On 4.5.2015 10:23, Brian Topping wrote:
>> On second view, I think my brain misfiled this. Maybe the records were
>> not set up automatically, another DNS domain I thought had the records in
>> fact do not.
>>
>> As a feature request, it seems like if a domain is added to "Domain
>> Realms", it should also get the appropriate records for client
>> autodiscovery.
>
> It is actually not necessary to create all the SRV records in all domains.
>
> Client auto-discovery is using the TXT record which is added automatically
> and the _kerberos TXT record is like 'redirect'.
>
> The procedure is:
> - client client1.sub.example.com <http://client1.sub.example.com/>. searches for record
> _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT
> - _kerberos.sub.example.com <http://kerberos.sub.example.com/> TXT contains realm name "EXAMPLE.COM <http://example.com/>"
> - now the client knows that all the SRV records are inside example.com <http://example.com/>. domain
> - SRV records from example.com <http://example.com/>. are used from now on
>
> AFAIK this is very standard Kerberos behavior so it should work for all
> standard-compliant clients.
>
> Petr^2 Spacek
>
>> Cheers, Brian
>>
>>> On May 4, 2015, at 3:03 PM, Brian Topping <brian.topping at gmail.com>
>>> wrote:
>>>
>>> I just added a new domain and didn't see the SRV records added for it.
>>> There is a TXT record, but none of the SRV records that are in other
>>> DNS domains.
>>>
>>> After going to the "Realm Domains tab of the "IPA Server"
>>> configuration, I see that the new domain was already added there, so I
>>> removed it and added it back, hoping that might cause the SRV records
>>> to be added, but no luck.
>>>
>>> Any ideas what I should check for?
>>>
>>> Thanks, Brian
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org <http://freeipa.org/> for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150504/ba35a707/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150504/ba35a707/attachment.sig>
More information about the Freeipa-users
mailing list