Dear Alexander,

The last small wrinkle, setting the server options is fine and works well, but the DNS record creation still doesn't work. I see it queries the SOA record and then appears to use that as the server to send the changes to.

I tried to set the SOA records for the virt.$domain realm, but it doesnt seem to overwrite the top-level SOA record:
ipa dnszone-mod virt.in.bmrc.ox.ac.uk. --name-server ipa-a --admin-email ipa-a
I note that admin-email appears to be the option that actually changes the record returned here, which was unexpected for me.

Trying to understand as much as possible from the documentation where possible, but still not quite there. IS there a way of forcing only the virt.$domain SOA record to be returned, or specifically remove the top level ipa-a.$domain record from the virt.$domain sub-zone SOA record somehow?

;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
virt-test.virt.in.bmrc.ox.ac.uk. 0 ANY  A

Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  61088
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;859519045.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY

;; ADDITIONAL SECTION:
859519045.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 1552471501 1552471501 3 NOERROR 688 YIICrAYJKoZIhvcSAQICAQBuggKbMIICl6ADAgEFoQMCAQ6iBwMFACAA AACjggGKYYIBhjCCAYKgAwIBBaES
GxBJTi5CTVJDLk9YLkFDLlVLoigw JqADAgEDoR8wHRsDRE5TGxZpcGEtYS5pbi5ibXJjLm94LmFjLnVro4IB OzCCATegAwIBEqEDAgECooIBKQSCASWh1n7sjwfpXDidKWGk8HSALBBW OwjtcqBJAGcS7yB5YGKzb4t3LUQFPXhzmZAxhZGTrkg+YLRJ3Ysty4AI HY1Tu465eJ0yPIOAxwVrhlQXBrs6T7K8OqyjN/rOO9KLhLMjTLz76x3S m5u8FE/L0FuTM3uF53qg2l00y4hjsztaDAsKFjL4vZALLDY796tGBDS0 C8RybVcdVGeoe5L7IrHG14hTd1ppMXaGuFcIOLlEuJHW0m+YjZHlQWBT HYAPVKJqgBOrRiqKIVkeTBSyvUMhAG5YNMKHOtmtfBbr3hyh3xb0yRlT NakBI9TRSdulBkfP4ONGjnhg48huUgsaiuNl/WzdDNvzz3qepbJU8zVE d/B/NM5mNDmaUzYVhAnPdfb2ht6YaaSB8zCB8KADAgESooHoBIHlXbse XPn5DwGyQy8HWW4lwny7PrJTLmnDczg7OjSkWLsgsA9c2Ok7IBO1pRZB Q1DK48TZ09vEpU9nTULdKmciqikdKV7Zi50afJXVc79wGaDOhHdGByzo KhnZy8kDgciN9BYTJ6se7Sd+f6agZ9Fh5t5cDb4kk2LUE9bVKERqrE1D CgASPFqxYm60GmOOSJDlVevYAycHfmy1DFcsCJOGYAiXNWDYSxP13bhe DwTlhvXPOjxXhwhQxWwz+E8aNHCHEuniT1+iTHVi5xgsU98qi489Deta SocvV0sI1eKMoalIe0TXIw== 0


2019-03-13T10:06:41Z DEBUG stderr=Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  26845
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;virt-test.virt.in.bmrc.ox.ac.uk. IN    SOA

;; AUTHORITY SECTION:
virt.in.bmrc.ox.ac.uk.  0       IN      SOA     ipa-a.in.bmrc.ox.ac.uk. ipa-a.virt.in.bmrc.ox.ac.uk. 1552471476 3600 900 1209600 3600

Found zone name: virt.in.bmrc.ox.ac.uk
The master is: ipa-a.in.bmrc.ox.ac.uk
start_gssrequest
send_gssrequest
; Communication with 10.141.247.129#53 failed: timed out
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  62319
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;859519045.sig-ipa-a.in.bmrc.ox.ac.uk. ANY TKEY

;; ANSWER SECTION:
859519045.sig-ipa-a.in.bmrc.ox.ac.uk. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0

Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id:   1248
;; flags: qr ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;sig-ipa-a.in.bmrc.ox.ac.uk.    ANY     TKEY

response to SOA query was unsuccessful

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum@well.ox.ac.uk

On 12 Mar 2019, at 17:08, Alexander Bokovoy <abokovoy@redhat.com> wrote:

On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,

We already have the correct _ldap._tcp.virt.$domain in place, and the
discovery at the start of ipa-client-install is working correctly, it
discovers the correct information and installs based on that: Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk

But it is further into the process where it goes a bit wrong. I've
attached two files krb5trace and ipaclient-installer.log so that we're
not confusing the previous woes.
The difference is that during install the temporary krb5.conf written pins you
down to a specific IPA master. This is done for the purpose to avoid
replication issues if a different master was chosen at a different stage
of the install process.

Later, the actual krb5.conf written to /etc/krb5.conf does not include
that master because installation options weren't forcing us to stick to
a specific master. At this point selection of the KDCs is left to krb5
library. Actual order of service locator tries is this:

- try locator plugins first
- try krb5.conf profile
- try DNS resolution as a callback

We have nothing in krb5.conf. We also have nothing in sssd.conf so SSSD
locator plugin would give us whatever IPA master it chose. But at the
point of completing ipa-client-installer job SSSD is not yet running so
we end up with DNS resolution.

The only way of solving this is by forcing use of specific servers
during install. E.g. specifying 
ipa-client-install --server ipa-a.virt.$domain --server  ipa-b.virt.$domain ...

would make sure both servers are added to krb5.conf and to sssd.conf.

Perhaps, this what would work for you?

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland