Hi, I am able to configure Freeipa with internal DNS which is located on a different server and added dns records under the dns zone file. Now i have created a user and am able to communicate from Localhost to ipa client both key based and password based both.
*Issue:* Not able to ssh via from client A --> to Client B via key based authentication its promoting for password.But if i use the hostname rather than ip i am able to login.But most of the times i use ip only to communicate. Trick: If add ssh-add <Keypath /rsa_pub> and then if cache with -A then able to communicate with ip as well i can jump any client from local.But its a trick it got worked but i would like to know where can i fix this to work properly.Rather than doing this trick how can i jump from one client to another without using password based authentication.Please let me know where i need to change configuration to work smoothly. _kerberos-master._tcp.test-local.com. 3600 IN SRV 0 100 88 ipa1-mum1.test-local.com. _kerberos-master._udp.test-local.com. 3600 IN SRV 0 100 88 ipa1-mum1.test-local.com. _kerberos._tcp.test-local.com. 3600 IN SRV 0 100 88 ipa1-mum1.test-local.com . _kerberos._udp.test-local.com. 3600 IN SRV 0 100 88 ipa1-mum1.test-local.com . _kerberos.test-local.com. 3600 IN TXT "ALPHA-GREP.COM" _kerberos.test-local.com. 3600 IN URI 0 100 "krb5srv:m:tcp: ipa1-mum1.test-local.com." _kerberos.test-local.com. 3600 IN URI 0 100 "krb5srv:m:udp: ipa1-mum1.test-local.com." _kpasswd._tcp.test-local.com. 3600 IN SRV 0 100 464 ipa1-mum1.test-local.com . _kpasswd._udp.test-local.com. 3600 IN SRV 0 100 464 ipa1-mum1.test-local.com . _kpasswd.test-local.com. 3600 IN URI 0 100 "krb5srv:m:tcp: ipa1-mum1.test-local.com." _kpasswd.test-local.com. 3600 IN URI 0 100 "krb5srv:m:udp: ipa1-mum1.test-local.com." _ldap._tcp.test-local.com. 3600 IN SRV 0 100 389 ipa1-mum1.test-local.com. On Fri, Sep 1, 2023 at 12:17 PM Pradeep KNS <kns.prad...@alpha-grep.com> wrote: > Thanks a lot,Will try it. > > On Thu, Aug 31, 2023 at 10:40 AM Yavor Marinov <ymari...@gmail.com> wrote: > >> Hey guys, >> >> I would suggest an easier and quite simple method: create a subdomain in >> your current DNS, and describe its NSes to point to FreeIPA's DNSes. >> Configure FreeIPA with a subdomain, instead of the domain and if you need >> to create forwarding rules in FreeIPA to use your main DNS as a forwarder. >> Additionally newly added infra, can be just CNAME-ed into your main DNS >> with specifics (or even A record). Offering this, because in current infra >> we are using google's DNS for the domain, and our centralized login can be >> used with both of the domain and the subdomain. The only "frustrating" >> thing is that i need to change the client's DNS (eg resolv.conf) when I'm >> enrolling them, to point to FreeIPA and be able to properly enroll their >> DNS records into FreeIPA >> >> ~br >> >> On Wed, Aug 30, 2023 at 11:26 PM Rafael Jeffman via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> >>> Hi Pradeep, >>> >>> On Wed, Aug 30, 2023 at 3:27 PM Pradeep KNS via FreeIPA-users < >>> freeipa-users@lists.fedorahosted.org> wrote: >>> > >>> > Hi Rob, >>> > >>> > Thank you for your valuable insights on FreeIPA and DNS. I have an >>> existing internal DNS server that I would like to integrate with FreeIPA's >>> DNS feature. As I understand it, FreeIPA can serve as an integrated DNS >>> solution. However, I would like to ensure that my existing internal DNS >>> infrastructure is utilized alongside FreeIPA's DNS capabilities. >>> > >>> > Could you provide guidance on how to configure FreeIPA to work with my >>> internal DNS server? Specifically, I'd like to achieve the following: >>> > >>> > Use FreeIPA for centralized user authentication and management. >>> >>> That would be just setting up FreeIPA and maintaining correct DNS >>> records, >>> so I won't jump into this one. >>> >>> > Integrate my existing internal DNS server with FreeIPA's DNS, so I can >>> manage internal DNS records within FreeIPA while maintaining the internal >>> DNS functionality. >>> > >>> >>> Is a short answer: you can't. >>> >>> The longer answer might provide a way to almost have what you want. >>> >>> FreeIPA's embedded nameserver has to be authoritative, and you can only >>> manage its records, not the ones on your current DNS infrastructure. >>> >>> To change DNS management to FreeIPA you'd have to set your internal DNS >>> nameserver to be a secondary nameserver, and configure FreeIPA's >>> nameserver to notify the internal nameserver of changes. It's doable, >>> but I >>> would not recommend doing so. >>> >>> Another possibility is to change DNS infrastructure to use FreeIPA >>> instead of >>> the current nameserver. >>> >>> If you can manage your internal zones with the limitations that FreeIPA's >>> nameserver has (e.g. split-view is not supported), then you could plan on >>> retiring the current nameserver in favor of the FreeIPA one. With >>> replicas you >>> can also get redundancy on the nameservers. >>> >>> If your current nameserver is exposed to the world, again, I'd suggest >>> against >>> this move. >>> >>> Bottom line, either use your current DNS infrastructure or fully migrate >>> to >>> FreeIPA. >>> >>> Rafael >>> >>> > I want to avoid any conflicts between FreeIPA's DNS and my existing >>> internal DNS server. Your expertise in this matter would greatly assist me >>> in achieving a successful and well-integrated DNS solution. >>> > >>> > Thank you for your time and support. >>> > >>> > >>> > On Wed, Aug 30, 2023 at 6:34 PM Rob Crittenden <rcrit...@redhat.com> >>> wrote: >>> >> >>> >> Pradeep KNS via FreeIPA-users wrote: >>> >> > Hello Team, >>> >> > >>> >> > While setting up Freeipa in my Linux infrastructure.I noticed a >>> strange >>> >> > warning. I would like to clarify before rolling into production. >>> >> > * >>> >> > * >>> >> > *|DNS zone alpha-grep.com <http://alpha-grep.com>. already exists >>> in DNS >>> >> > and is handled by server(s): ['ns2.', 'ns1.'] Please make sure that >>> the >>> >> > domain is properly delegated to this IPA server.|* >>> >> > >>> >> > Detailed installation log i have updated in this link. Please >>> suggest me >>> >> > will it be any security flaw in future.Before installing it on >>> production. >>> >> > >>> >> > https://bpa.st/AMITK >>> >> >>> >> I'm not sure what security issue you are worried about but you >>> >> explicitly allow this configuration with the --allow-zone-overlap >>> >> install option. >>> >> >>> >> Your domain DNS is managed externally and you've installed a DNS >>> server >>> >> to be authoritative for the same domain. If you want to expose you IPA >>> >> DNS to the Internet you'll need to repoint the nameservers on your >>> >> domain to your IPA host. >>> >> >>> >> If what you're hoping to do is provide views, to limit what hosts are >>> >> resolvable depending on where the request is coming from, that is not >>> >> available in IPA. While IPA uses bind under the hood not all >>> >> capabilities are exposed. >>> >> >>> >> So whether this configuration is acceptable or not is up to you. >>> >> >>> >> rob >>> >> >>> > _______________________________________________ >>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> > To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> > Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> > List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> > Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>> >>> >>> -- >>> Rafael Guterres Jeffman >>> Senior Software Engineer >>> FreeIPA - Red Hat >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue