On ke, 18 joulu 2019, White, David via FreeIPA-users wrote:
I am trying to spin up a new 2-node cluster in my lab environment.
I have FreeIPA installed, and can login to the web UI.
At this point, I’m trying to establish a trust with AD:
ipa trust-add --type=ad
example.net --admin administrator
Based on the errors I was getting with that command’s stdout and
subsequent research, it occurred to me that I don’t have DNS resolution
to our corporate internal DNS from my lab environment.
As this is a lab environment, I really don’t care about best practices
(although I do eventually want to get corporate DNS resolution into my
lab, that’s likely not happening until January given the holidays… and
I need to make progress on this project if at all possible).
Is it possible to set the required AD records into `/etc/hosts` on each
of the (2) nodes?
No. The reason for that is that AD domain controllers have to resolve
IPA DC addresses as well and they use DNS for that too. So it is not
just on IPA side. Additionally, after they resolved SRV records via DNS,
they perform actual site-local search using connectionless LDAP (CLDAP,
389/UDP) directly at the DCs and then resolve those DCs via DNS, so
there is need to have a fully working DNS setup.
And/or since I already have IdM installed with DNS services, is it
possible for me to go into the web UI, and create a new DNS zone in
there for the upstream AD environment?
Here are the records I’ve entered into my /etc/hosts file on the master
FreeIPA server that I’m trying to use to establish the trust (As you
can see, we have 4 AD servers, so I have set the “A” record in
/etc/hosts four different times):
Idm-node-1.fiberlab.example.net
Idm-node-2.fiberlab.example.net
example.net
example.net
example.net
example.net
_kerberos._tcp.example.net
_kerberos._tcp.example.net
_kerberos._tcp.example.net
_kerberos._tcp.example.net
_kerberos._udp.example.net
_kerberos._udp.example.net
_kerberos._udp.example.net
_kerberos._udp.example.net
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland