[Freeipa-users] Need Suggestion on Multi Realm Environment

Yogesh Sharma yks0000 at gmail.com
Thu Jan 7 12:20:02 UTC 2016 

This is fixed. Found an issue with BIND Update Policy and got some
reference from "
https://www.redhat.com/archives/freeipa-users/2015-May/msg00399.html" .
Working fine now.

grant KLIKPAY.INT krb5-self * A; grant KLIKPAY.INT krb5-self * AAAA; grant
KLIKPAY.INT krb5-self * SSHFP;

*Best Regards,*

*__________________________________________*

*Yogesh Sharma*
*Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
<http://www.initd.in/> *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

<https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
<https://twitter.com/checkwithyogesh>
<http://google.com/+YogeshSharmaOnGooglePlus>

On Thu, Jan 7, 2016 at 5:13 PM, Yogesh Sharma <yks0000 at gmail.com> wrote:

> List,
>
> I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*.
> We have few hosts/client in another domain *sd.int <http://sd.int>. *As
> the number of servers are very few we do not want to have a new FreeIPA
> server for same, and I think having a common will be easy to manage.
>
> I have create a separate forward and reverse zone for sd.int, and able to
> register the server successfully, but somehow, while registering a client,
> we noticed that the sd.int domain servers are still going in klikpay.int
> realm only. Further, they are not getting registered with DNS also.
>
>
> Below are the some test I executed:
>
> Test-1
>
> *ipa-client-install --principal=admin --password=xxxxxxxxxxxxx --mkhomedir
> --no-ntp*
> DNS discovery failed to determine your DNS domain
> Provide the domain name of your IPA server (ex: example.com):
>
>
> Test-2
>
>
> *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
> --mkhomedir --no-ntp --domain=sd.int <http://sd.int>*
> Provide your IPA server name (ex: ipa.example.com):
> ipa-inf-prd-sg1-01.klikpay.int
> Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server.
> This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.
> Please make sure the following ports are opened in the firewall settings:
>      TCP: 80, 88, 389
>      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
> Also note that following ports are necessary for ipa-client working
> properly after enrollment:
>      TCP: 464
>      UDP: 464, 123 (if NTP enabled)
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
>
> However, I can confirm all ports are reachable
>
> *# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int
> <http://ipa-inf-prd-sg1-01.klikpay.int> $i;done*
> Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded!
> Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos]
> succeeded!
> Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap]
> succeeded!
> Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps]
> succeeded!
> Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd]
> succeeded!
>
>
> Test-3:
>
> *ipa-client-install --principal=admin --password=xxxxxxxxxxxxxxxxxxx
> --mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int>
> --nisdomain=sd.int <http://sd.int>*
> Discovery was successful!
> Hostname: imsadmin-app-prd-sg1-01.sd.int
> Realm: KLIKPAY.INT
> DNS Domain: klikpay.int
> IPA Server: ipa-inf-prd-ng2-02.klikpay.int
> BaseDN: dc=klikpay,dc=int
>
> Continue to configure the system with these values? [no]: yes
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Please check that 123 UDP port is opened.
> Successfully retrieved CA cert
>     Subject:     CN=Certificate Authority,O=KLIKPAY.INT
>     Issuer:      CN=Certificate Authority,O=KLIKPAY.INT
>     Valid From:  Fri Aug 14 11:39:47 2015 UTC
>     Valid Until: Tue Aug 14 11:39:47 2035 UTC
>
> *Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>*
> Created /etc/ipa/default.conf
> New SSSD config will be created
> Configured sudoers in /etc/nsswitch.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm KLIKPAY.INT
> trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml
> Forwarding 'env' to server u'
> https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml'
> *Hostname (imsadmin-app-prd-sg1-01.sd.int
> <http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS*
> *Failed to update DNS records.*
> Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
> Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
> Forwarding 'host_mod' to server u'
> https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml'
> Could not update DNS SSHFP records.
> SSSD enabled
> Configuring sd.int as NIS domain
> Configured /etc/openldap/ldap.conf
> Configured /etc/ssh/ssh_config
> Configured /etc/ssh/sshd_config
> Client configuration complete.
>
>
>
> Would be helpful I can get some reference as how can we do it.
>
>
>
> *Best Regards,*
>
> *__________________________________________*
>
> *Yogesh Sharma*
> *Email: yks0000 at gmail.com <yks0000 at gmail.com> | Web: www.initd.in
> <http://www.initd.in/> *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
> <https://www.fb.com/yks0000>   <http://in.linkedin.com/in/yks0000>
> <https://twitter.com/checkwithyogesh>
> <http://google.com/+YogeshSharmaOnGooglePlus>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160107/f8ead6fb/attachment.htm>

More information about the Freeipa-users mailing list