Understood, thanks. Effectively the DNS based lookup of KDC is problematic
with clusters (delays, etc) in sprawling environments... so static mappings
are used in our labs... I understand thats counter intuitive from a
management/user perspective and we are talking about a severe edge case
here. Thanks again for the ongoing feedback.
On Fri, Mar 20, 2020 at 11:27 AM Charles Hedrick <hedrick(a)rutgers.edu>
wrote:
> On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Thanks Rob, Thanks Angus,
>
> I am aware of how to point the client to the specific IPA server, what
I'm struggling more with is freeIPA in an environment where its not using
DNS for domain and realm resolution for kerberos, which does work today.
> I should have limited my question to the following:
>
> Is it possible to use ipaClient but manage static mappings in the
krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and
dns_lookup_realm=false (including the krb5.conf on the ipa server itself so
its aware of all). The question from Angus makes me believe that having
the dns_lookup* = false is a unsupported context in an IPA environment.
>
I don’t see why not. We did that for a while. You need to configure
servers in both krb5.conf and sssd.conf. But I’m not sure why you need
this. The SRV records are for finding the server based on the Kerberos
domain. As far as I know it has nothing to do with the hostname of the
client. As long as krb5.conf and sssd.conf have the proper Kerberos domain,
the client should be able to look up the servers in that domain.
> Thanks for your feedback.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Todd Grayson
Principal Customer Operations Engineer
Security SME