[Freeipa-users] Need Suggestion on Multi Realm Environment

Yogesh Sharma yks0000 at gmail.com
Thu Jan 7 11:43:43 UTC 2016 

List,

I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*.
We have few hosts/client in another domain *sd.int <http://sd.int>. *As the
number of servers are very few we do not want to have a new FreeIPA server
for same, and I think having a common will be easy to manage.

I have create a separate forward and reverse zone for sd.int, and able to
register the server successfully, but somehow, while registering a client,
we noticed that the sd.int domain servers are still going in klikpay.int
realm only. Further, they are not getting registered with DNS also.


Below are the some test I executed:

Test-1

*ipa-client-install --principal=admin --password=xxxxxxxxxxxxx --mkhomedir
--no-ntp*
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com):


Test-2


*ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
--mkhomedir --no-ntp --domain=sd.int <http://sd.int>*
Provide your IPA server name (ex: ipa.example.com):
ipa-inf-prd-sg1-01.klikpay.int
Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Installation failed. Rolling back changes.
IPA client is not configured on this system.

However, I can confirm all ports are reachable

*# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int
<http://ipa-inf-prd-sg1-01.klikpay.int> $i;done*
Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded!
Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos]
succeeded!
Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap] succeeded!
Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps] succeeded!
Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd]
succeeded!


Test-3:

*ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
--mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int>
--nisdomain=sd.int <http://sd.int>*
Discovery was successful!
Hostname: imsadmin-app-prd-sg1-01.sd.int
Realm: KLIKPAY.INT
DNS Domain: klikpay.int
IPA Server: ipa-inf-prd-ng2-02.klikpay.int
BaseDN: dc=klikpay,dc=int

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=KLIKPAY.INT
    Issuer:      CN=Certificate Authority,O=KLIKPAY.INT
    Valid From:  Fri Aug 14 11:39:47 2015 UTC
    Valid Until: Tue Aug 14 11:39:47 2035 UTC

*Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>*
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm KLIKPAY.INT
trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml
Forwarding 'env' to server u'https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml'
*Hostname (imsadmin-app-prd-sg1-01.sd.int
<http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS*
*Failed to update DNS records.*
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server u'
https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configuring sd.int as NIS domain
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.



Would be helpful I can get some reference as how can we do it.



*Best Regards,*

*__________________________________________*

*Yogesh Sharma*
*Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
<http://www.initd.in/> *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

<https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160107/e89aeb12/attachment.htm>

More information about the Freeipa-users mailing list