[Freeipa-users] Configure IPA Server work with Multiple domain Env
Martin Kosek
mkosek at redhat.com
Wed May 20 10:42:46 UTC 2015
On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
> Hello!
>
> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> I've tried to setup my IPA server to work on multiple domain env, for
>>> the example, I have 20 instance/servers using mydomain.co.id then I have
>>> another 10 instance/servers using mydomain.com, I want to manage both of
>>> them on same IPA server.
>>
>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>> TXT record with the ream, Kerberos client should be able to find the right IPA
>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>> versions add this record to owned DNS zones automatically.
>
> TXT record said like this :
>
> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>
> .. some content skipped ..
>
> $ORIGIN mydomain.com.
> _kerberos TXT "MYDOMAIN.CO.ID"
> joyoboyo A 103.xx.yy.98
> liquid A 103.xx.yy.100
>
> Should I changes it? Or leave it as is?
If this is the alternate DNS domain (REALM != DNS domain name), this should be
fine and Kerberos client should be able to tell which KDC/realm is responsible
for this domain.
>>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>>> Server, the DNS Discovery was failed, but if I entered IPA server
>>> address manually, the setup was success.
>>
>> If autodiscovery with hosts in your alternate domain does not work, you can
>> also use just
>>
>> # ipa-client-install --domain main.ipa.domain.com
>>
>> and it should find the IPA server.
>>
>>>
>>> ---
>>> [root at joyoboyo ~]# getent passwd dewangga
>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash
>>> [root at joyoboyo ~]# uname -a
>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>> ---
>>>
>>> Is it normal? Or is there another configuration on krb5.conf? I found
>>> something interesting on [domain_realm] section, but before I changes
>>> them, better I ask to the mailing list.
>>
>> What I see above looks normal to me. [domain_realm] manual mapping can be used
>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>> Kerberos, IIRC.
>>
>>>
>>> Thanks for any help and comments, this is my first time to configure IPA
>>> Server :D
>>
>> Good, I hope you like it :-)
>>
>
> And what if I setup replica IPA server, did mydomain.com will be
> distributed to another replicated IPA server?
Yup, all IPA data are replicated between masters.
More information about the Freeipa-users
mailing list