On 22.1.2015 10:44, [email protected] wrote: > Hi, > > Many thanks to everyone who offered advice on this. My problem appears to be > fixed. > > My solution was to change the TXT record defining the Kerberos realm to > ensure the realm name was in upper case, in quotes, and did not have a > trailing period: > _kerberos.my.domain. IN TXT "GRIDPP.RL.AC.UK" > > I'm not sure which of these changes was the critical one (maybe all!), but > the upshot is that I can now enrol clients using service discovery.
BTW new version of ipa-client-install will give you more specific error message if DNS realm and LDAP realm does not match. Petr^2 Spacek >> -----Original Message----- >> From: [email protected] [mailto:freeipa-users- >> [email protected]] On Behalf Of [email protected] >> Sent: 19 January 2015 15:54 >> To: [email protected] >> Subject: [Freeipa-users] Having trouble running FreeIPA with SRV records on >> externally managed DNS >> >> Hi all, >> >> I have successfully set up a test FreeIPA server and run it for a while, but >> the >> time has come to move towards a production service. I am currently running >> ipa-server version 3.0.0-25 on Scientific Linux 6.4 (if you don't know it, >> Scientific Linux is basically a rebuild of RedHat, much like CentOS). Yes, I >> know this is an older FreeIPA, but I am going through the path of least >> resistance given our site's current standard configuration. >> >> On our site there is a central DNS service and it is unlikely we will be >> allowed >> to run our own DNS service (other than as a slave/cacheing NS). >> >> I have been trying to set up SRV records for the FreeIPA server by providing >> the autogenerated zone file to our DNS manager, who has incorporated the >> configuration. When we deployed these changes, I used dig to confirm that >> SRV queries were giving appropriate responses, which they appear to be. >> >> I then tried setting up a client using ipa-client-install and got an error: >> >> Failed to verify that freeipa01.<munged.domain> is an IPA Server. >> This may mean that the remote server is not up or is not reachable due to >> network or firewall settings. >> >> The install worked on a client before deploying the SRV records, using >> manual specification of the server. I disabled iptables on the server to >> eliminate potential problems there, and got the same result. If we disable >> the SRV records, I am able to do the manual set-up again. >> >> So it looks like the problem is at the DNS end of things, so maybe our zone >> configuration is missing something. >> >> The zone config we currently have in place is as follows (we changed >> hostnames in the sample file to fqdns for this attempt, but the same >> symptoms came from bare hostnames)... >> >> ; ldap servers >> _ldap._tcp.my.domain. IN SRV 0 100 389 freeipa01.my.domain. >> ; >> ; kerberos realm >> _kerberos.my.domain. IN TXT my.domain. >> ; >> ; kerberos servers >> _kerberos._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos-master._tcp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kerberos-master._udp.my.domain. IN SRV 0 100 88 freeipa01.my.domain. >> _kpasswd._tcp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. >> _kpasswd._udp.my.domain. IN SRV 0 100 464 freeipa01.my.domain. >> ; >> ; ntp server >> _ntp._udp.my.domain. IN SRV 0 100 123 freeipa01.my.domain. >> >> >> ...So that is where I am. I was hoping that someone could give me a pointer >> or two as to how I might debug this problem and actually get service >> discovery working. >> >> Many thanks for reading this far! >> >> Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
