[Freeipa-users] Configure IPA Server work with Multiple domain Env

Petr Spacek pspacek at redhat.com
Wed May 20 11:02:34 UTC 2015 

On 20.5.2015 12:56, Dewangga Bachrul Alam wrote:
> Thanks Martin,
> 
> Better I leave the configuration as is :D
> 
> So, If I want to add another domain, I just add and point them to master
> IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
> `ipa dnsrecord-add`.
> 
> Isn't it?

Yes, + you have to add NS record *to the parent zone* so all clients know
which servers are responsible for the new domain.

Petr^2 Spacek

> 
> On 05/20/2015 05:42 PM, Martin Kosek wrote:
>> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
>>> Hello!
>>>
>>> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>>>>> Hello!
>>>>>
>>>>> I've tried to setup my IPA server to work on multiple domain env, for
>>>>> the example, I have 20 instance/servers using mydomain.co.id then I have
>>>>> another 10 instance/servers using mydomain.com, I want to manage both of
>>>>> them on same IPA server.
>>>>
>>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>>>> TXT record with the ream, Kerberos client should be able to find the right IPA
>>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>>>> versions add this record to owned DNS zones automatically.
>>>
>>> TXT record said like this :
>>>
>>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>>>
>>> .. some content skipped ..
>>>
>>> $ORIGIN mydomain.com.
>>> _kerberos		TXT	"MYDOMAIN.CO.ID"
>>> joyoboyo		A	103.xx.yy.98
>>> liquid			A	103.xx.yy.100
>>>
>>> Should I changes it? Or leave it as is?
>>
>> If this is the alternate DNS domain (REALM != DNS domain name), this should be
>> fine and Kerberos client should be able to tell which KDC/realm is responsible
>> for this domain.
>>
>>>>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>>>>> Server, the DNS Discovery was failed, but if I entered IPA server
>>>>> address manually, the setup was success.
>>>>
>>>> If autodiscovery with hosts in your alternate domain does not work, you can
>>>> also use just
>>>>
>>>> # ipa-client-install --domain main.ipa.domain.com
>>>>
>>>> and it should find the IPA server.
>>>>
>>>>>
>>>>> ---
>>>>> [root at joyoboyo ~]# getent passwd dewangga
>>>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash
>>>>> [root at joyoboyo ~]# uname -a
>>>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>>>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>> ---
>>>>>
>>>>> Is it normal? Or is there another configuration on krb5.conf? I found
>>>>> something interesting on [domain_realm] section, but before I changes
>>>>> them, better I ask to the mailing list.
>>>>
>>>> What I see above looks normal to me. [domain_realm] manual mapping can be used
>>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>>>> Kerberos, IIRC.
>>>>
>>>>>
>>>>> Thanks for any help and comments, this is my first time to configure IPA
>>>>> Server :D
>>>>
>>>> Good, I hope you like it :-)
>>>>
>>>
>>> And what if I setup replica IPA server, did mydomain.com will be
>>> distributed to another replicated IPA server?
>>
>> Yup, all IPA data are replicated between masters.
>>
> 


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list