I am trying to set up a small office of software developers with FreeIPA. My ipa-server-install fails with "DNS zone example.com. already exists in DNS and is handled by servers foo1.myisp.net...".
We do have basic hosted dns for our few public facing servers but I want to run an internal DNS on the LAN (and on the OpenVPN) to do name resolution. We don't currently have any AD or Kerberos, this is basically a new company with just a few people and a few workstations and will probably never grow very large without massive infrastructure changes that would be way out of scope for what I am trying to do.
I was going to set up the internal computers as workstation1.internal.mycompany.com, workstation2.internal.mycompany.com, etc. since my understanding is that I can't do it without a subdomain since the primary domain DNS server already exists.
I am putting this on a new server with a fresh install of CentOS 8. The ipa server is ipa.mycompany.com, or is it supposed to be ipa.internal.mycompany.com? I was trying to use all the defaults when calling ipa-server-install --setup-dns, but I don't really understand where to tell it about the subdomain.
None of the many tutorials I have read seem to deal with my use case even though it seems like something lots of people would want to do. Am I using the right tool for this job? Am I just not finding the right web page that makes it easy?
Can I run a small network with about 10 hosts and about 10 users on one freeipa host? I also have a separate box for pfsense/openvpn and maybe I could run a failover dns server on that, but I can't even get the main server running.
Thanks in advance for any help with this.
Hi,
On Tue, Oct 8, 2019 at 2:14 PM Jason Dunham via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I am trying to set up a small office of software developers with FreeIPA. My ipa-server-install fails with "DNS zone example.com. already exists in DNS and is handled by servers foo1.myisp.net...".
We do have basic hosted dns for our few public facing servers but I want to run an internal DNS on the LAN (and on the OpenVPN) to do name resolution. We don't currently have any AD or Kerberos, this is basically a new company with just a few people and a few workstations and will probably never grow very large without massive infrastructure changes that would be way out of scope for what I am trying to do.
I was going to set up the internal computers as workstation1.internal.mycompany.com, workstation2.internal.mycompany.com, etc. since my understanding is that I can't do it without a subdomain since the primary domain DNS server already exists.
The understanding is right. Also having internal.mycompany.com for internal stuff and mycompany.com for public-facing stuff should prove less of a hassle to maintain in the long run.
I am putting this on a new server with a fresh install of CentOS 8. The ipa server is ipa.mycompany.com, or is it supposed to be ipa.internal.mycompany.com?
I'd go for ipa0.internal.mycompany.com Please set this as FQDN.
I was trying to use all the defaults when calling ipa-server-install --setup-dns, but I don't really understand where to tell it about the subdomain.
--domain=domain_name but you probably don't need to specify it if you use ipa0.internal.mycompany.com as FQDN.
None of the many tutorials I have read seem to deal with my use case even though it seems like something lots of people would want to do. Am I using the right tool for this job? Am I just not finding the right web page that makes it easy?
"# ipa-server-install -h", "Basic options" The above tool has a man page too.
Can I run a small network with about 10 hosts and about 10 users on one freeipa host?
Yes, if the host fulfills the minimum requirements, see: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If you can spare the RAM, 3-4GB will help. Make sure to have swap configured as well.
However having a single server is not resilient. Having a replica would help.
Best regards, François
I also have a separate box for pfsense/openvpn and maybe I could run a failover dns server on that, but I can't even get the main server running.
Thanks in advance for any help with this. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Okay I am making some progress with this, currently just trying to get one server running before I add any failover. Thanks for the help so far. Currently the freeipa server "ipa1" (ipa1.intra.example.com) seems to be working it can resolve hosts on the LAN either with a short hostname or a fqdn hostname.
[root@ipa1 ~]# nslookup
frisell
Server: 127.0.0.1 Address: 127.0.0.1#53
Name: frisell.intra.example.com Address: 10.1.10.193
frisell.intra.example.com
Server: 127.0.0.1 Address: 127.0.0.1#53
Name: frisell.intra.example.com Address: 10.1.10.193
==> so far so good. However on another computer on the network, the same thing doesn't work even though it is asking the same DNS server (10.1.10.15 = ipa1)
jdunham@mahavishnu:~$ nslookup
ipa1
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find ipa1: NXDOMAIN
ipa.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find ipa.intra.example.com: NXDOMAIN
ipa1.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
Name: ipa1.intra.example.com Address: 10.1.10.15
frisell
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find frisell: NXDOMAIN
frisell.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
Name: frisell.intra.example.com Address: 10.1.10.193
It this a client problem or a server problem?
My guess is that you have the domain "intra.example.com" listed in the "search" order found in /etc/resolv.conf on server ipa1 but not on server mahavishnu.
Regards Angus
________________________________ From: Jason Dunham via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: Thursday, 17 October 2019, 20:31 To: freeipa-users@lists.fedorahosted.org Cc: Jason Dunham Subject: [Freeipa-users] Re: FreeIPA new network with DNS
Okay I am making some progress with this, currently just trying to get one server running before I add any failover. Thanks for the help so far. Currently the freeipa server "ipa1" (ipa1.intra.example.com) seems to be working it can resolve hosts on the LAN either with a short hostname or a fqdn hostname.
[root@ipa1 ~]# nslookup
frisell
Server: 127.0.0.1 Address: 127.0.0.1#53
Name: frisell.intra.example.com Address: 10.1.10.193
frisell.intra.example.com
Server: 127.0.0.1 Address: 127.0.0.1#53
Name: frisell.intra.example.com Address: 10.1.10.193
==> so far so good. However on another computer on the network, the same thing doesn't work even though it is asking the same DNS server (10.1.10.15 = ipa1)
jdunham@mahavishnu:~$ nslookup
ipa1
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find ipa1: NXDOMAIN
ipa.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find ipa.intra.example.com: NXDOMAIN
ipa1.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
Name: ipa1.intra.example.com Address: 10.1.10.15
frisell
Server: 10.1.10.15 Address: 10.1.10.15#53
** server can't find frisell: NXDOMAIN
frisell.intra.example.com
Server: 10.1.10.15 Address: 10.1.10.15#53
Name: frisell.intra.example.com Address: 10.1.10.193
It this a client problem or a server problem? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
freeipa-users@lists.fedorahosted.org
-
Angus Clarke -
François Cami -
Jason Dunham