On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce <s...@redhat.com> wrote: > > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > > -I'm going to set up the IPA server with a new realm; > > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > > up there for that? If so, what?) > > > > If your DNS people want to manually mange DNS for you then they need to > > create the unix.mydomain.com zone and manually create SRV and TXT > > records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like?
When you install freeipa it will generate a zone file if DNS is not installed as well, that's probably the most complete example. > > > -I'm going to try registering testserver.mycompany.com server as part > > > of the UNIX.MYCOMPANY.COM realm. > > > > > > Sound reasonable and/or sane? :-) > > > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > > useful. > > The IPA server needs to be part of the unix.mycompany.com domain, > then, and the IPA clients do not? The simplest setup is when all clients are part of the same DNS zone which is not shared with an AD setup. Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. We are going to make it simpler to add these domains centrally in FreeIPA and have SSSD automatically provide these appings on all clients, but this work is being done in v 3.0. For now it needs to be manually configured on each client. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users