I have setup an Idm environment with replica and AD trust. I have the following realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local EXAMPLE.LOCAL is the AD realm with dns domain example.local All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain. In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf : server ===== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL client ==== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev02.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that: [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ? Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure