[Freeipa-users] IPA-AD Trust unable to resolve child domain
Carlos Raúl Laguna
carlosla1987 at gmail.com
Thu Oct 20 21:18:15 UTC 2016
Thanks for the clarification. Regards
2016-10-20 14:23 GMT-04:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On to, 20 loka 2016, Carlos Raúl Laguna wrote:
>
>> Hi Alexander,
>> I do belive is a DNS problem, the command failing are
>>
>> host -t srv _ldap._tcp.ad_domain
>> or
>> dig SRV _ldap._tcp.ad_domain
>> after checkig the logs a see this error
>> "no valid DS resolving '_ldap._tcp.ad_domain /SRV/IN': 10.20.4.22#53"
>>
>> so i disable the dnssec validation on IPA and it work as expected, i will
>> setup dnssec on the windows side and enable dns validation once more on
>> IPA
>> to see if can get the same outcome.
>>
> When you use DNSSEC validation, your DNS infrastructure should all be
> using DNSSEC. This does not depend on whether you are deploying trust to
> AD or not.
>
> In fact, when installing FreeIPA server, you have option to disable
> DNSSEC validation (ipa-server-install --no-dnssec-validation). The same
> option exists in ipa-dns-install.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161020/4b082f94/attachment.htm>
More information about the Freeipa-users
mailing list