> On Mar 6, 2020, at 5:31:36 PM, Todd Grayson via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> Thanks Rob,  Thanks Angus,
>
> I am aware of how to point the client to the specific IPA server, what I'm struggling more with is freeIPA in an environment where its not using DNS for domain and realm resolution for kerberos, which does work today. 
> I should have limited my question to the following:
>
> Is it possible to use ipaClient but manage static mappings in the krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and dns_lookup_realm=false (including the krb5.conf on the ipa server itself so its aware of all).  The question from Angus makes me believe that having the dns_lookup* = false is a unsupported context in an IPA environment.
>
I don’t see why not. We did that for a while. You need to configure servers in both krb5.conf and sssd.conf. But I’m not sure why you need this. The SRV records are for finding the server based on the Kerberos domain. As far as I know it has nothing to do with the hostname of the client. As long as krb5.conf and sssd.conf have the proper Kerberos domain, the client should be able to look up the servers in that domain.


> Thanks for your feedback.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org