On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
I have setup an Idm environment with replica and AD trust. I have the following
realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local
EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/will be enrolled to
the IPA domain.
In the IPA servers I had the following entries (added by the installation
process) in /etc/krb5.conf :
server
=====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
client
====
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev02.example.local = IPADEV.EXAMPLE.LOCAL
.example.local = IPADEV.EXAMPLE.LOCAL
example.local = IPADEV.EXAMPLE.LOCAL
Because of various issues (either replication did not work, either
clients could not query AD), I had removed entries on the server config
(at some point i had .example.local = EXAMPLE.LOCAL but that broke the
replication between ipa servers ) and now it looks like that:
[domain_realm]
.ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev.example.local = IPADEV.EXAMPLE.LOCAL
ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
My question is , how should the [domain_realm] section of the
/etc/krb5.conf look like on both ipa server and ipa client ? Is
dns_lookup_realm = true and dns_lookup_kdc = true enough in the
[libdefaults] section or should these realm be explicitly added ? What
are the tradeoffs of not using them ?
First, to make it clear. You should not have IPA servers (replicas) in
.example.local. If you'd do, this is unsupported configuration and any
bugs you'd see there are your own problems. There is simply no way to
support servers from two separate Kerberos realms trusting each other in
the same DNS domain.
The configuration for IPA clients in .example.local is described in the
FreeIPA wiki's page you already referred in this thread. Anything
deviating from it would cause issues, as you are witnessing already.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
