On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote:
Hi Alexander,
You're correct, turns out I wasn't using the correct domain for the --domain parameter. I thought I was. Here's the command I used.
ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomedir --domain=ipa.ad.com --realm=IPA.AD.COM --no-ntp --debug
All of my client hostname are set as "hostname.domain.ad.com", I didn't know that in itself that was enough of a requirement to join them to FreeIPA. Of course, given that the domain is also present in freeipa and the AD trust has been established AFTER the domain was added to freeipa.
I haven't tested yet without the realm parameter. It is possible that I don't need --domain nor --realm parameters ? Does that require the creation of *_ldap._tcp.* srv records in domain.ad.com dns zone?
Taken from the man page:
*When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with --domain https://www.mankier.com/1/ipa-client-install#--domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers.*
That line miss directed me, not sure if that's my interpretation. Documentation could benefit from being clearer and having examples.
Since you had to deal with this kind of setup from a user perspective, would you mind proposing a better wording?
Setting krb5_auth_timeout to 120 seconds is also required in my environment as we're dealing with AD DC spreaded all over the globe. To make kerberos negotiation faster, I assume I could specify my AD.COM realm in /etc/krb5.conf with my local site AD DC ?
Yes, currently this is needed. Using the 'site affinity' on the clients is on the roadmap, but not implemented yet.