[Freeipa-users] Configure IPA Server work with Multiple domain Env
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Wed May 20 10:38:32 UTC 2015
Hello!
On 05/20/2015 05:30 PM, Martin Kosek wrote:
> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> I've tried to setup my IPA server to work on multiple domain env, for
>> the example, I have 20 instance/servers using mydomain.co.id then I have
>> another 10 instance/servers using mydomain.com, I want to manage both of
>> them on same IPA server.
>
> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
> TXT record with the ream, Kerberos client should be able to find the right IPA
> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
> versions add this record to owned DNS zones automatically.
TXT record said like this :
$ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
.. some content skipped ..
$ORIGIN mydomain.com.
_kerberos TXT "MYDOMAIN.CO.ID"
joyoboyo A 103.xx.yy.98
liquid A 103.xx.yy.100
Should I changes it? Or leave it as is?
>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>> Server, the DNS Discovery was failed, but if I entered IPA server
>> address manually, the setup was success.
>
> If autodiscovery with hosts in your alternate domain does not work, you can
> also use just
>
> # ipa-client-install --domain main.ipa.domain.com
>
> and it should find the IPA server.
>
>>
>> ---
>> [root at joyoboyo ~]# getent passwd dewangga
>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash
>> [root at joyoboyo ~]# uname -a
>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>> ---
>>
>> Is it normal? Or is there another configuration on krb5.conf? I found
>> something interesting on [domain_realm] section, but before I changes
>> them, better I ask to the mailing list.
>
> What I see above looks normal to me. [domain_realm] manual mapping can be used
> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
> Kerberos, IIRC.
>
>>
>> Thanks for any help and comments, this is my first time to configure IPA
>> Server :D
>
> Good, I hope you like it :-)
>
And what if I setup replica IPA server, did mydomain.com will be
distributed to another replicated IPA server?
Thanks
More information about the Freeipa-users
mailing list