[Freeipa-users] Configure IPA Server work with Multiple domain Env

Wed May 20 11:09:17 UTC 2015

Yes, of course.
I will add NS record to parent zone if my IPA server are ready for
production. :D

Thanks for any comments and help.
Cheers! :)

On 05/20/2015 06:02 PM, Petr Spacek wrote:
> On 20.5.2015 12:56, Dewangga Bachrul Alam wrote:
>> Thanks Martin,
>>
>> Better I leave the configuration as is :D
>>
>> So, If I want to add another domain, I just add and point them to master
>> IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using
>> `ipa dnsrecord-add`.
>>
>> Isn't it?
> 
> Yes, + you have to add NS record *to the parent zone* so all clients know
> which servers are responsible for the new domain.
> 
> Petr^2 Spacek
> 
>>
>> On 05/20/2015 05:42 PM, Martin Kosek wrote:
>>> On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote:
>>>> Hello!
>>>>
>>>> On 05/20/2015 05:30 PM, Martin Kosek wrote:
>>>>> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote:
>>>>>> Hello!
>>>>>>
>>>>>> I've tried to setup my IPA server to work on multiple domain env, for
>>>>>> the example, I have 20 instance/servers using mydomain.co.id then I have
>>>>>> another 10 instance/servers using mydomain.com, I want to manage both of
>>>>>> them on same IPA server.
>>>>>
>>>>> This is fine. If the alternate domain contain the "_kerberos.domain.com" DNS
>>>>> TXT record with the ream, Kerberos client should be able to find the right IPA
>>>>> server/KDC to talk to (if they have DNS discovery enabled). Recent FreeIPA
>>>>> versions add this record to owned DNS zones automatically.
>>>>
>>>> TXT record said like this :
>>>>
>>>> $ cat /var/named/dyndb-ldap/ipa/master/kincir.com/raw
>>>>
>>>> .. some content skipped ..
>>>>
>>>> $ORIGIN mydomain.com.
>>>> _kerberos		TXT	"MYDOMAIN.CO.ID"
>>>> joyoboyo		A	103.xx.yy.98
>>>> liquid			A	103.xx.yy.100
>>>>
>>>> Should I changes it? Or leave it as is?
>>>
>>> If this is the alternate DNS domain (REALM != DNS domain name), this should be
>>> fine and Kerberos client should be able to tell which KDC/realm is responsible
>>> for this domain.
>>>
>>>>>> On instance with mydomain.com, I've setup and point my DNS to the IPA
>>>>>> Server, the DNS Discovery was failed, but if I entered IPA server
>>>>>> address manually, the setup was success.
>>>>>
>>>>> If autodiscovery with hosts in your alternate domain does not work, you can
>>>>> also use just
>>>>>
>>>>> # ipa-client-install --domain main.ipa.domain.com
>>>>>
>>>>> and it should find the IPA server.
>>>>>
>>>>>>
>>>>>> ---
>>>>>> [root at joyoboyo ~]# getent passwd dewangga
>>>>>> dewangga:*:940000001:940000001:Dewangga Alam:/home/dewangga:/bin/bash
>>>>>> [root at joyoboyo ~]# uname -a
>>>>>> Linux joyoboyo.mydomain.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15
>>>>>> 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>>> ---
>>>>>>
>>>>>> Is it normal? Or is there another configuration on krb5.conf? I found
>>>>>> something interesting on [domain_realm] section, but before I changes
>>>>>> them, better I ask to the mailing list.
>>>>>
>>>>> What I see above looks normal to me. [domain_realm] manual mapping can be used
>>>>> if you have DNS autodiscovery disabled or you miss the DNS TXT record for
>>>>> Kerberos, IIRC.
>>>>>
>>>>>>
>>>>>> Thanks for any help and comments, this is my first time to configure IPA
>>>>>> Server :D
>>>>>
>>>>> Good, I hope you like it :-)
>>>>>
>>>>
>>>> And what if I setup replica IPA server, did mydomain.com will be
>>>> distributed to another replicated IPA server?
>>>
>>> Yup, all IPA data are replicated between masters.
>>>
>>
> 
> 