Hi,
Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA. Ex. host/iictyibmls003.nix.infrabel.be@NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well, Hadoop uses DNS a lot. (.local, in this case adapted to the location) Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for the .local domain.... I have searched on the mailinglist and other resources, but I am not sure what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa: ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to add a service to. And if I try to add a host first, using correct DNS records (A and PTR) , this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE - Failed to create service principal for HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE STDOUT: STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not have corresponding DNS A/AAAA record
Was there something about a (kadmin) override?
Thx a lot! Pieter
On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
Hi,
Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA. Ex. host/iictyibmls003.nix.infrabel.be@NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well, Hadoop uses DNS a lot. (.local, in this case adapted to the location) Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for the .local domain.... I have searched on the mailinglist and other resources, but I am not sure what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa: ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to add a service to. And if I try to add a host first, using correct DNS records (A and PTR) , this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE - Failed to create service principal for HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE STDOUT: STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not have corresponding DNS A/AAAA record
Make sure DNS server used by IPA master is able to resolve these hosts. IPA framework doesn't use /etc/hosts but rather asks DNS server to resolve the hostnames. If it gets an error, it means your DNS setup isn't valid. If you run DNS component of FreeIPA and actual DNS server for the bdmzlocal zone is different, create a forwarder.
Hi Alexander,
That what bothered me. All DNS zones are on IPA. So why the error....
Forwarding is only for other domains and the private 172.x addresses are only necessary on the IPA joined hosts.
(However, what they call a multi-homed network design in Hadoop also complicates other things considerably out of a management perspective so probably I can't easily separate what may be kept internal and the client communication this way, so I will need to use a design with one network anyway)
thx -- Pieter
On Tue, Jul 11, 2017 at 8:38 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
Hi,
Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA. Ex. host/iictyibmls003.nix.infrabel.be@NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well, Hadoop uses DNS a lot. (.local, in this case adapted to the location) Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for the .local domain.... I have searched on the mailinglist and other resources, but I am not sure what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa: ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist
to
add a service to. And if I try to add a host first, using correct DNS records (A and PTR) , this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE - Failed to
create
service principal for HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE STDOUT: STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does
not
have corresponding DNS A/AAAA record
Make sure DNS server used by IPA master is able to resolve these hosts. IPA framework doesn't use /etc/hosts but rather asks DNS server to resolve the hostnames. If it gets an error, it means your DNS setup isn't valid. If you run DNS component of FreeIPA and actual DNS server for the bdmzlocal zone is different, create a forwarder.
-- / Alexander Bokovoy
On ti, 11 heinä 2017, Pieter Baele wrote:
Hi Alexander,
That what bothered me. All DNS zones are on IPA. So why the error....
Forwarding is only for other domains and the private 172.x addresses are only necessary on the IPA joined hosts.
(However, what they call a multi-homed network design in Hadoop also complicates other things considerably out of a management perspective so probably I can't easily separate what may be kept internal and the client communication this way, so I will need to use a design with one network anyway)
Check named logs to see whether there are issues with those queries. Check with 'dig' on IPA master that it is indeed capable to resolve hostnames from that zone.
thx
Pieter
On Tue, Jul 11, 2017 at 8:38 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 11 heinä 2017, Pieter Baele via FreeIPA-users wrote:
Hi,
Is there a correct way to setup a public/private design using IPA for Kerberos? I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA. Ex. host/iictyibmls003.nix.infrabel.be@NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well, Hadoop uses DNS a lot. (.local, in this case adapted to the location) Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for the .local domain.... I have searched on the mailinglist and other resources, but I am not sure what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa: ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist
to
add a service to. And if I try to add a host first, using correct DNS records (A and PTR) , this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE - Failed to
create
service principal for HTTP/ iictyibcls002.nix.infrabel.be.bdmzlocal@NIX.INFRABEL.BE STDOUT: STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does
not
have corresponding DNS A/AAAA record
Make sure DNS server used by IPA master is able to resolve these hosts. IPA framework doesn't use /etc/hosts but rather asks DNS server to resolve the hostnames. If it gets an error, it means your DNS setup isn't valid. If you run DNS component of FreeIPA and actual DNS server for the bdmzlocal zone is different, create a forwarder.
-- / Alexander Bokovoy
freeipa-users@lists.fedorahosted.org