I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution.
- I run a private DNS zone on AWS, called "int.example.com" (with ptr and srv, etc) - I have 3 master-master-master IPAs called ipa1, ipa2, and ip3 xxx.int.example.com - Realm is EXAMPLE.COM - Domain is example.com - example.com records are hosted in a different service (i.e. hover or godaddy)
When I try to install a client I get:
Discovery was successful! Client hostname: ipaclient.int.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa2.int.example.com BaseDN: dc=example,dc=com … Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf ... Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipa2.int.example.com/ipa/json Traceback (most recent call last): File "/sbin/ipa-client-install", line 3128, in <module> sys.exit(main()) ... File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection raise errors.KerberosError(message=unicode(krberr)) ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm “EXAMPLE.COM"
Any idea how I can overcome this issue?
I would like my LDAP basedn to be dc=example,dc=com. I don't want it to take the value of dc=int,dc=example,dc=com if I used private domain int.example.com instead of example.com
I was thinking of using a private zone just example.com instead of int.example.com but I will have issues since my TLD is on an external service (i.e. hover.com). In this case, I wouldn't be able to resolve test.example.com within the private zone since AWS Route53 wouldn't resolve outside the zone. I would need to install a DNS forwarder somewhere else and I don't want to manage it.
I can manually install the client and specify the domain and realm fine but I am unable to use DNS _srv_ for failover if ipa1 goes down, for example. Clients are unable to login with a similar KDC error. And even installing is causing issues as the output show "Cannot find KDC for realm..."
Any recommendation or help would be appreciated. I am not sure what is the best solution.
On pe, 15 syys 2017, Wanderley Teixeira via FreeIPA-users wrote:
I am running into an issue with FreeIPA and DNS. Perhaps, you guys could point me to a better realm/domain solution.
- I run a private DNS zone on AWS, called "int.example.com" (with ptr and
srv, etc)
- I have 3 master-master-master IPAs called ipa1, ipa2, and ip3
xxx.int.example.com
- Realm is EXAMPLE.COM
- Domain is example.com
- example.com records are hosted in a different service (i.e. hover or
godaddy)
When I try to install a client I get:
Discovery was successful! Client hostname: ipaclient.int.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipa2.int.example.com BaseDN: dc=example,dc=com … Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf ... Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipa2.int.example.com/ipa/json Traceback (most recent call last): File "/sbin/ipa-client-install", line 3128, in <module> sys.exit(main()) ... File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in create_connection raise errors.KerberosError(message=unicode(krberr)) ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639066): Cannot find KDC for realm “EXAMPLE.COM"
Any idea how I can overcome this issue?
Add SRV records _kerberos._tcp.example.com, _kerberos._udp.example.com in the external DNS to point to your servers in int.example.com.
I would like my LDAP basedn to be dc=example,dc=com. I don't want it to take the value of dc=int,dc=example,dc=com if I used private domain int.example.com instead of example.com
I was thinking of using a private zone just example.com instead of int.example.com but I will have issues since my TLD is on an external service (i.e. hover.com). In this case, I wouldn't be able to resolve test.example.com within the private zone since AWS Route53 wouldn't resolve outside the zone. I would need to install a DNS forwarder somewhere else and I don't want to manage it.
Your clients will be resolving whatever records DNS server return. External or internal does not matter, since DNS server does not resolve those records for you, it just returns their content.
I can manually install the client and specify the domain and realm fine but I am unable to use DNS _srv_ for failover if ipa1 goes down, for example. Clients are unable to login with a similar KDC error. And even installing is causing issues as the output show "Cannot find KDC for realm..."
The "cannot find KDC for realm" comes from the fact that it cannot resolve those SRV records from example.com DNS domain because it couldn't find any other way to find KDCs. Since this is happening at install time, you cannot use krb5.conf's means to map DNS domains to realms and say how to discover KDCs.
So just add required DNS SRV records. You can get a proper list of them from
ipa dns-update-system-records --dry-run
this will show you full list of system records IPA expects to exist. It is a command that exists in FreeIPA 4.4+, I think.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Wanderley Teixeira