On 20/12/2016 08:07, Petr Spacek wrote:
I've tried to clarify things in man pages and on web as well. Please have a
look to changes and let us know if it is better or not, and preferably what
can be improved and in which way
The modified deployment page is here:
http://www.freeipa.org/page/Deployment_Recommendations
Man page changes and changes in description of installer options are here:
https://github.com/freeipa/freeipa/pull/352
Thank you for working on this.
This is getting clearer, but I would like to expand a little more.
(1) This introduces a concept of an "IPA Primary Domain". Is that just
the DNS domain which holds the SRV records which point to the realm's
kerberos/ldap servers, or does it have any other function? In other
words, what other effects would there be from choosing a different IP
Primary Domain?
Let me give a specific example.
- IPA server hostname is ipa.foo.example.com
- I want to create kerberos realm BAR.EXAMPLE.COM
Which IPA primary domain should I choose?
The expected place for SRV records for realm BAR.EXAMPLE.COM would be in
the DNS under domain bar.example.com. So I'm thinking that "--domain
bar.example.com" is the right thing - and can't think why you'd ever
want to do anything else.
(2) I'm trying to work out how --domain, --realm, --server and
systemhostname influence each other, if one or more is not provided.
For ipa-server-install, testing suggests:
* --domain defaults to the domain part of the system hostname
* --realm defaults to the uppercased --domain
* (--server is obviously itself :-)
For ipa-client-install it seems a bit more complex. Based on the
manpage, I believe the sequence is something like this:
* If --domain is not specified, then it's the domain from the system
hostname
* If --server is not specified, then it hunts for servers based on the
--domain (looking in that domain and its parents until suitable SRV
records are found)
* If --realm is not specified, then it sends a query to the --server(s)
to ask what realm they are in
But the manpage says you can specify both --server and --domain:
"Client machine can also be configured without a DNS
autodiscovery at all. When both
--server and --domain options are used, client installer will
use the specified server
and domain directly."
In that case, I can't see what the --domain is used for here, if it's
only purpose is to locate servers (and you've already told it which
--server to use)
Thanks,
Brian.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
