[Freeipa-users] IPA-AD Trust unable to resolve child domain
Alexander Bokovoy
abokovoy at redhat.com
Thu Oct 20 18:23:32 UTC 2016
On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>Hi Alexander,
>I do belive is a DNS problem, the command failing are
>
>host -t srv _ldap._tcp.ad_domain
>or
>dig SRV _ldap._tcp.ad_domain
>after checkig the logs a see this error
>"no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>
>so i disable the dnssec validation on IPA and it work as expected, i will
>setup dnssec on the windows side and enable dns validation once more on IPA
>to see if can get the same outcome.
When you use DNSSEC validation, your DNS infrastructure should all be
using DNSSEC. This does not depend on whether you are deploying trust to
AD or not.
In fact, when installing FreeIPA server, you have option to disable
DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
option exists in ipa-dns-install.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list