[Freeipa-users] Configure IPA Server work with Multiple domain Env
Dewangga Bachrul Alam
dewanggaba at xtremenitro.org
Wed May 20 10:56:31 UTC 2015
Thanks Martin,
Better I leave the configuration as is :D
So, If I want to add another domain, I just add and point them to master
IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
`ipa dnsrecord-add`.
Isn't it?
On 05/20/2015 05:42 PM, Martin Kosek wrote:
> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
>> Hello!
>>
>> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> I've tried to setup my IPA server to work on multiple domain env, for
>>>> the example, I have 20 instance/servers using mydomain.co.id then I have
>>>> another 10 instance/servers using mydomain.com, I want to manage both of
>>>> them on same IPA server.
>>>
>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>>> TXT record with the ream, Kerberos client should be able to find the right IPA
>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>>> versions add this record to owned DNS zones automatically.
>>
>> TXT record said like this :
>>
>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>>
>> .. some content skipped ..
>>
>> $ORIGIN mydomain.com.
>> _kerberos TXT "MYDOMAIN.CO.ID"
>> joyoboyo A 103.xx.yy.98
>> liquid A 103.xx.yy.100
>>
>> Should I changes it? Or leave it as is?
>
> If this is the alternate DNS domain (REALM != DNS domain name), this should be
> fine and Kerberos client should be able to tell which KDC/realm is responsible
> for this domain.
>
>>>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>>>> Server, the DNS Discovery was failed, but if I entered IPA server
>>>> address manually, the setup was success.
>>>
>>> If autodiscovery with hosts in your alternate domain does not work, you can
>>> also use just
>>>
>>> # ipa-client-install --domain main.ipa.domain.com
>>>
>>> and it should find the IPA server.
>>>
>>>>
>>>> ---
>>>> [root at joyoboyo ~]# getent passwd dewangga
>>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash
>>>> [root at joyoboyo ~]# uname -a
>>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>> ---
>>>>
>>>> Is it normal? Or is there another configuration on krb5.conf? I found
>>>> something interesting on [domain_realm] section, but before I changes
>>>> them, better I ask to the mailing list.
>>>
>>> What I see above looks normal to me. [domain_realm] manual mapping can be used
>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>>> Kerberos, IIRC.
>>>
>>>>
>>>> Thanks for any help and comments, this is my first time to configure IPA
>>>> Server :D
>>>
>>> Good, I hope you like it :-)
>>>
>>
>> And what if I setup replica IPA server, did mydomain.com will be
>> distributed to another replicated IPA server?
>
> Yup, all IPA data are replicated between masters.
>
More information about the Freeipa-users
mailing list