On 06/24/2013 08:32 PM, Vitaly wrote: > Sorry for probably stupid question, but if in general > ipaclient.staging.example.com <http://ipaclient.staging.example.com> > host may be a member in prod.example.com <http://prod.example.com> > domain?
Sure, you just need to have properly configured /etc/krb5.conf (namely [domain_realm] mapping) and /etc/sssd/sssd.conf to look up the clients in this domain. I tested this with freeipa-client-3.1.4-1.fc18.x86_64, ipa-client-install does that for you: # hostname client.example.com # ipa-client-install --domain ipa.domain.test Discovery was successful! Hostname: client.example.com Realm: IPA.DOMAIN.TEST DNS Domain: ipa.domain.test IPA Server: server1.ipa.domain.test BaseDN: dc=idm,dc=lab,dc=bos,dc=redhat,dc=com Continue to configure the system with these values? [no]: y User authorized to enroll computers: admin Synchronizing time with KDC... Password for [email protected]: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.DOMAIN.TEST Issuer: CN=Certificate Authority,O=IPA.DOMAIN.TEST Valid From: Wed Jun 19 20:11:11 2013 UTC Valid Until: Sun Jun 19 20:11:11 2033 UTC Enrolled in IPA realm IPA.DOMAIN.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm IPA.DOMAIN.TEST trying https://server1.ipa.domain.test/ipa/xml Hostname (client.example.com) not found in DNS Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server 'https://server1.ipa.domain.test/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. # cat /etc/sssd/sssd.conf [domain/ipa.domain.test] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.domain.test id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.example.com chpass_provider = ipa ipa_server = _srv_, server1.ipa.domain.test dns_discovery_domain = ipa.domain.test [sssd] services = nss, pam, ssh config_file_version = 2 domains = ipa.domain.test [nss] [pam] [sudo] [autofs] [ssh] [pac] # cat /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.DOMAIN.TEST dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] IPA.DOMAIN.TEST = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.domain.test = IPA.DOMAIN.TEST ipa.domain.test = IPA.DOMAIN.TEST .example.com = IPA.DOMAIN.TEST example.com = IPA.DOMAIN.TEST HTH, Martin > > > On Thu, Jun 20, 2013 at 10:34 AM, Vitaly <[email protected] > <mailto:[email protected]>> wrote: > > >Is KDC resolvable from the client? > yes, there is DNS resolving for "serv02.prod.example.com > <http://serv02.prod.example.com>" on client. > > >Do you have an AD DNS that might be actually serving records? > no, I don't AD DNS for prod.example.com <http://prod.example.com> > >What version of the client and what OS are you using? > > On the client: > ipa-client-2.0-10.el5_6.1 > Red Hat Enterprise Linux Server release 5.6 (Tikanga) > > On IPA server : > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > libipa_hbac-1.5.1-66.el6_2.3.x86_64 > > libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > > ipa-python-2.1.3-9.el6.x86_64 > > ipa-client-2.1.3-9.el6.x86_64 > > ipa-server-selinux-2.1.3-9.el6.x86_64 > > ipa-admintools-2.1.3-9.el6.x86_64 > > ipa-server-2.1.3-9.el6.x86_64 > > Red Hat Enterprise Linux Server release 6.2 (Santiago) > > Thank you, > Vitaly > > > On Wed, Jun 19, 2013 at 7:45 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > On 06/19/2013 10:32 AM, Vitaly wrote: > > > > > > ipa-client-install fails with "Cannot resolve network address for KDC" > > message. > > I don't have SRV records, but I provide IPA server name via "--server" > > param. > > any ideas? > > > > TIA, > > Vitaly > > > > 2013-06-19 13:58:39,113 DEBUG Loading Index file from > > '/var/lib/ipa-client/sysrestore/sysrestore.index' > > 2013-06-19 13:58:39,113 DEBUG [ipacheckldap] > > 2013-06-19 13:58:39,113 DEBUG Init ldap with: > > ldap://serv02.prod.example.com:389 <http://serv02.prod.example.com:389> > > 2013-06-19 13:58:39,193 DEBUG Search rootdse > > 2013-06-19 13:58:39,233 DEBUG Search for (info=*) in > > dc=prod,dc=example,dc=com(base) > > 2013-06-19 13:58:39,272 DEBUG Found: [('dc=prod,dc=example,dc=com', > > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject', > > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain': > > ['prod.example.com <http://prod.example.com>'], 'dc': ['prod'], > 'nisDomain': ['prod.example.com <http://prod.example.com>']})] > > 2013-06-19 13:58:39,272 DEBUG Search for > (objectClass=krbRealmContainer) in > > dc=prod,dc=example,dc=com(sub) > > 2013-06-19 13:58:39,313 DEBUG Found: > > [('cn=PROD.EXAMPLE.COM > <http://PROD.EXAMPLE.COM>,cn=kerberos,dc=prod,dc=example,dc=com', > > {'krbSubTrees': ['dc=prod,dc=example,dc=com'], 'cn': ['PROD.EXAMPLE.COM > <http://PROD.EXAMPLE.COM>'], > > 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', > > 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': > ['top', > > 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], > > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', > > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', > > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', > > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', > > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], > > 'krbMaxRenewableAge': ['604800']})] > > 2013-06-19 13:58:52,031 INFO args=/usr/kerberos/bin/kinit > > [email protected] > <mailto:[email protected]> > > 2013-06-19 13:58:52,032 INFO stdout= > > 2013-06-19 13:58:52,032 INFO stderr=kinit(v5): Cannot resolve network > > address for KDC in realm PROD.EXAMPLE.COM <http://PROD.EXAMPLE.COM> > while > getting initial credentials > > > > 2013-06-19 13:58:52,065 INFO args=/usr/kerberos/bin/kdestroy > > 2013-06-19 13:58:52,065 INFO stdout= > > 2013-06-19 13:58:52,065 INFO stderr=kdestroy: No credentials cache found > > while destroying cache > > ~ > > ~ > > ~ > > ~ > > ~ > > ~ > > ~ > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] <mailto:[email protected]> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > Is KDC resolvable from the client? > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] <mailto:[email protected]> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
