Hi, Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses This works properly, but adds a complexity for FreeIPA. Hosts have a public interface which they use for IPA. Ex. host/[email protected] (a 10.x.x.x IP) For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well, Hadoop uses DNS a lot. (.local, in this case adapted to the location) Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2 The problem: Hadoop now wants to create Kerberos service princiapals for the .local domain.... I have searched on the mailinglist and other resources, but I am not sure what the proper 'IPA way' is. Adding a principal alias does not work (as I expected) --> STDERR: ipa: ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to add a service to. And if I try to add a host first, using correct DNS records (A and PTR) , this still results in 2017-07-11 06:57:27,072 - Failed to create principal, HTTP/ [email protected] - Failed to create service principal for HTTP/ [email protected] STDOUT: STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not have corresponding DNS A/AAAA record Was there something about a (kadmin) override? Thx a lot! Pieter
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
