[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

Martin Basti mbasti at redhat.com
Thu Dec 22 20:53:52 UTC 2016 


On 22.12.2016 17:53, Brian Candler wrote:
> On 20/12/2016 08:07, Petr Spacek wrote:
>> I've tried to clarify things in man pages and on web as well. Please 
>> have a
>> look to changes and let us know if it is better or not, and 
>> preferably what
>> can be improved and in which way
>>
>> The modified deployment page is here:
>> http://www.freeipa.org/page/Deployment_Recommendations
>>
>> Man page changes and changes in description of installer options are 
>> here:
>> https://github.com/freeipa/freeipa/pull/352
>
> Thank you for working on this.
>
> This is getting clearer, but I would like to expand a little more.
>
> (1) This introduces a concept of an "IPA Primary Domain".  Is that 
> just the DNS domain which holds the SRV records which point to the 
> realm's kerberos/ldap servers, or does it have any other function? In 
> other words, what other effects would there be from choosing a 
> different IP Primary Domain?

it holds SRV records, A/AAAA records for CA

LDAP tree is constructed from the domain (cn=accounts,dc=example,dc=com)

>
> Let me give a specific example.
>
> - IPA server hostname is ipa.foo.example.com
> - I want to create kerberos realm BAR.EXAMPLE.COM
>
> Which IPA primary domain should I choose?
>
> The expected place for SRV records for realm BAR.EXAMPLE.COM would be 
> in the DNS under domain bar.example.com.  So I'm thinking that 
> "--domain bar.example.com" is the right thing - and can't think why 
> you'd ever want to do anything else.
>
>

Then use bar.example.com, IPA servers can have names outside the IPA 
domain name space.

Different people wants different things, that's why the option is there.

>
> (2) I'm trying to work out how --domain, --realm, --server and 
> systemhostname influence each other, if one or more is not provided.
>
> For ipa-server-install, testing suggests:
>
> * --domain defaults to the domain part of the system hostname
> * --realm defaults to the uppercased --domain
> * (--server is obviously itself :-)
>
> For ipa-client-install it seems a bit more complex. Based on the 
> manpage, I believe the sequence is something like this:
>
> * If --domain is not specified, then it's the domain from the system 
> hostname
> * If --server is not specified, then it hunts for servers based on the 
> --domain (looking in that domain and its parents until suitable SRV 
> records are found)
> * If --realm is not specified, then it sends a query to the 
> --server(s) to ask what realm they are in
>
> But the manpage says you can specify both --server and --domain:
>
>       "Client  machine  can  also be configured without a DNS 
> autodiscovery at all. When both
>        --server and --domain options are used, client installer will 
> use the specified server
>        and  domain  directly."

Server and client can be in different DNS domains, that's probably why 
it has separate options.

I know that it is not clear how client determine domain and server, but 
there were more important things to fix, this may be improved in future.


>
> In that case, I can't see what the --domain is used for here, if it's 
> only purpose is to locate servers (and you've already told it which 
> --server to use)
>
> Thanks,
>
> Brian.
>

Martin

More information about the Freeipa-users mailing list