On Аўт, 13 мая 2025, Gareth Blades wrote:
Yes the realm is XYZ.NET
I thought Kerberos realms should always be specified in uppercase?
Kerberos realms are case-sensitive. DNS domain names aren't. Anyway, my
point was that FreeIPA relies on the fact that you own primary DNS
domain equal to your Kerberos realm and that DNS domain contains DNS
records specific to IPA realm.
If I setup something like thos as suggested :-
_kerberos.redstation.xyz. 86400 IN TXT "XYZ.NET"
Then how would this result in different servers being returned for
machines in 'redstation' as opposed to every other location? Wouldn't
Kerberos lookup the realm XYZ.NET and find some generic list of servers
and not those just in the location it is in?
you would need to make sure xyz.net DNS domain information is specific
to your client location.
https://www.freeipa.org/page/Howto/IPA_locations#example-with-non-freeipa-dns-servers
shows how to do that with Infoblox, for example.
It is pretty much by making sure that:
- each location has the primary DNS domain view
- each DNS domain view has both _udp and _tcp subdomains
- each SRV record defined for that location is defined in those domains
E.g. if redstation location has IPA server named 'ipa-redstation', `ipa
dns-update-system-records --dry-run` would produce you IPA location
records like this:
_kerberos-master._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88
ipa-redstation.xyz.net.
_kerberos-master._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88
ipa-redstation.xyz.net.
_kerberos._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88
ipa-redstation.xyz.net.
_kerberos._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 88
ipa-redstation.xyz.net.
_kerberos.redstation._locations.xyz.net. 3600 IN TXT "XYZ.NET"
_kerberos.redstation._locations.xyz.net. 3600 IN URI 0 100
"krb5srv:m:tcp:ipa-redstation.xyz.net."
_kerberos.redstation._locations.xyz.net. 3600 IN URI 0 100
"krb5srv:m:udp:ipa-redstation.xyz.net."
_kpasswd._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 464
ipa-redstation.xyz.net.
_kpasswd._udp.redstation._locations.xyz.net. 3600 IN SRV 0 100 464
ipa-redstation.xyz.net.
_kpasswd.redstation._locations.xyz.net. 3600 IN URI 0 100
"krb5srv:m:tcp:ipa-redstation.xyz.net."
_kpasswd.redstation._locations.xyz.net. 3600 IN URI 0 100
"krb5srv:m:udp:ipa-redstation.xyz.net."
_ldap._tcp.redstation._locations.xyz.net. 3600 IN SRV 0 100 389
ipa-redstation.xyz.net.
Then DNS view of xyz.net domain for redstation location will need to contain
records:
_kerberos-master._tcp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
_kerberos-master._udp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
_kerberos._tcp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
_kerberos._udp.xyz.net. 3600 IN SRV 0 100 88 ipa-redstation.xyz.net.
_kerberos.xyz.net. 3600 IN TXT "XYZ.NET"
_kerberos.xyz.net. 3600 IN URI 0 100 "krb5srv:m:tcp:ipa-redstation.xyz.net."
_kerberos.xyz.net. 3600 IN URI 0 100 "krb5srv:m:udp:ipa-redstation.xyz.net."
_kpasswd._tcp.xyz.net. 3600 IN SRV 0 100 464 ipa-redstation.xyz.net.
_kpasswd._udp.xyz.net. 3600 IN SRV 0 100 464 ipa-redstation.xyz.net.
_kpasswd.xyz.net. 3600 IN URI 0 100 "krb5srv:m:tcp:ipa-redstation.xyz.net."
_kpasswd.xyz.net. 3600 IN URI 0 100 "krb5srv:m:udp:ipa-redstation.xyz.net."
_ldap._tcp.xyz.net. 3600 IN SRV 0 100 389 ipa-redstation.xyz.net.
E.g. s/\.redstation\._locations//g then resulting zone data is what you
need to have in the DNS view for redstation location.
This assumes your IPA server ipa-redstation is present in the xyz.net
DNS domain (so A/AAAA records are there as well). If they defined in the
subdomains, don't forget to make sure xyz.net DNS view for that
particular location also includes A/AAAA/NS records to the correct
servers and subdomains so that clients can find it.
The integrated DNS server in IPA has no support for DNS views so it uses
automatic generation of the CNAME records using per-server location
information and templates stored in IPA LDAP.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
