[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

Brian Candler b.candler at pobox.com
Thu Dec 22 16:53:01 UTC 2016 

On 20/12/2016 08:07, Petr Spacek wrote:
> I've tried to clarify things in man pages and on web as well. Please have a
> look to changes and let us know if it is better or not, and preferably what
> can be improved and in which way
>
> The modified deployment page is here:
> http://www.freeipa.org/page/Deployment_Recommendations
>
> Man page changes and changes in description of installer options are here:
> https://github.com/freeipa/freeipa/pull/352

Thank you for working on this.

This is getting clearer, but I would like to expand a little more.

(1) This introduces a concept of an "IPA Primary Domain".  Is that just 
the DNS domain which holds the SRV records which point to the realm's 
kerberos/ldap servers, or does it have any other function? In other 
words, what other effects would there be from choosing a different IP 
Primary Domain?

Let me give a specific example.

- IPA server hostname is ipa.foo.example.com
- I want to create kerberos realm BAR.EXAMPLE.COM

Which IPA primary domain should I choose?

The expected place for SRV records for realm BAR.EXAMPLE.COM would be in 
the DNS under domain bar.example.com.  So I'm thinking that "--domain 
bar.example.com" is the right thing - and can't think why you'd ever 
want to do anything else.



(2) I'm trying to work out how --domain, --realm, --server and 
systemhostname influence each other, if one or more is not provided.

For ipa-server-install, testing suggests:

* --domain defaults to the domain part of the system hostname
* --realm defaults to the uppercased --domain
* (--server is obviously itself :-)

For ipa-client-install it seems a bit more complex. Based on the 
manpage, I believe the sequence is something like this:

* If --domain is not specified, then it's the domain from the system 
hostname
* If --server is not specified, then it hunts for servers based on the 
--domain (looking in that domain and its parents until suitable SRV 
records are found)
* If --realm is not specified, then it sends a query to the --server(s) 
to ask what realm they are in

But the manpage says you can specify both --server and --domain:

       "Client  machine  can  also be configured without a DNS 
autodiscovery at all. When both
        --server and --domain options are used, client installer will 
use the specified server
        and  domain  directly."

In that case, I can't see what the --domain is used for here, if it's 
only purpose is to locate servers (and you've already told it which 
--server to use)

Thanks,

Brian.

More information about the Freeipa-users mailing list