[Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.
Brian Candler
b.candler at pobox.com
Fri Dec 23 10:42:51 UTC 2016
On 23/12/2016 10:31, Alexander Bokovoy wrote:
> ipa-ca used to be a CNAME, you cannot handle CNAME via /etc/hosts.
> However, multiple replicas cannot me specified via CNAME, so we had to
> fix https://fedorahosted.org/freeipa/ticket/3547.
Absolutely - I have no problem with ipa-ca being real A record(s)
pointing to the server itself.
All I'm saying is that at installation time, it already knew the IP
address of the server - by local hostname resolution, and because
ipa-server-install asks you to list the IP addresses of the server
explicitly.
> The ipa-ca A record is now handled as part of the server upgrade which
> also should be run at the very end of a normal install.
Are you are supposed to manually run "ipa-server-upgrade" even after a
clean install?
I've just tested that, and yes, one of the steps is:
...
[Add missing CA DNS records]
Updating DNS system records
<< pauses here >>
unable to resolve host name ipatest.foo.example.com. to IP address,
ipa-ca DNS record will be incomplete
...
So you're right: that would have fixed it *if* I'd created the
foo.example.com zone first, and added the host to it, which in real life
I would have done (since other hosts must be able to resolve the IPA
server's hostname)
I already opened https://fedorahosted.org/freeipa/ticket/6579 which
suggested using local resolution, e.g. via gethostent(). But feel free
to close it if you don't think this is needed.
Regards,
Brian.
More information about the Freeipa-users
mailing list