Or indeed chose any of your existing DNS domains for the IPA servers, I suspect changing the domain at a later time might be troublesome, so maybe pick one that has some assured longevity to it!
Regards Angus ________________________________ From: Angus Clarke via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: Friday, March 6, 2020 9:49:20 PM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Todd Grayson <tgray...@cloudera.com>; Angus Clarke <p...@angusclarke.com> Subject: [Freeipa-users] Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Hello As far as I'm aware, Kerberos requires DNS A records for clients and servers. Could you not just setup freeIPA using its internal DNS using a new domain just to add the ipa servers to, and then have forwarding between the different DNS systems? Clients can be under any DNS domain you like, as long as they resolve. Regards Angus ________________________________ From: Todd Grayson via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: Friday, March 6, 2020 4:50:25 PM To: freeipa-users@lists.fedorahosted.org <freeipa-users@lists.fedorahosted.org> Cc: Todd Grayson <tgray...@cloudera.com> Subject: [Freeipa-users] freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment Hello, Reading what I can find, it seems that its almost impossible to use freeIPA clients and expect to not have to configure DNS SRV or TEXT records to resolve the freeIPA for eveything, which is a shock... is appears to be no simple way to just have krb5.conf's that fall back on non DNS related resolution of KDC [realm] and [domain_realm] based resolution and mapping.... is that correct? Or am I missing some discussion on how to force a ipaclient setup to handle this kind of "krb5.conf" mapping instead of depending on DNS? I'm tasked with trying to bring IPA into what is a long standing lab environment that spans multiple cloud providers, multiple data centers, and collections of ad-hoc environments that we need to develop, train, and test within. Naturally this is spanning about 10 or so unique BIND dns domains. There are 6 separate active directory domains as well representing the range of domain functional levels from 2008 - 2016 that handle their own DNS. The environment historically includes a mix of MIT kerberos and Active directory domains,as well as ad-hoc MIT realms that are set up for exercising various cross realm trust scenarios from Java, Python and other application stacks. I'm hoping to end up with a few discreete freeIPA domains as a centralized static service that can be shared, rather than make everyone setup ad-hoc IPA instances, but its looking like my approach is NOT going to work and we are going to have to cookbook adhoc IPA setups that will be in conflict with each other within the subnets they pop up in. Am I mssing something as far as non DNS aware freeIPA integration? Or is the design really locked down as much as it seems to where everything must be coordinated at the network DNS level to get these lab systems (small clusters) scattered across these lab environments to be able to register as ipa clients? Any pointers to blogs, threads etc that speak to this would be greatly appreciated... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191066476823588&sdata=ecrX%2F9y7ko0TtqLgfGWifqbWWHM%2BvQRMzehTB9SMc7E%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7C%7C84615b0298de44d1eed108d7c20fef80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191246004129170&sdata=y9euc2bDyQD5%2F1Jd4GnHIyN7HVyqiDy3UXjwOodg8n4%3D&reserved=0> List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191066476833599&sdata=le2CP0oFUb8FlSRSG31wCycUxs6VV7Km0uyuS%2FNo3so%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C%7C84615b0298de44d1eed108d7c20fef80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191246004139166&sdata=YghuQGke7NK0F7LdC7RaGtfFtm%2F3yi0jy%2Brt%2Bk4%2BPGQ%3D&reserved=0> List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7C%7Cd5713db9bb4c4421b16508d7c1e6225b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191066476833599&sdata=BblBt%2FrlfvhAdVt07V4EJPTSF84V%2FazZMS4XDjI4P6c%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=02%7C01%7C%7C84615b0298de44d1eed108d7c20fef80%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637191246004149165&sdata=z7PTPKbDP4IBdL3Fj%2B0R9AYcEK1C6C68TGMf5GbWDbk%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
