I have setup an Idm environment with replica and AD trust. I have the following realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain.
In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf : server ===== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL
client ==== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev02.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL
Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that:
[domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ? Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ?
On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
I have setup an Idm environment with replica and AD trust. I have the following realms and domains:
IPADEV.EXAMPLE.LOCAL is the IPA realm with the domain ipadev.example.local EXAMPLE.LOCAL is the AD realm with dns domain example.local
All the clients have the DNS domain example.local and are/will be enrolled to the IPA domain.
In the IPA servers I had the following entries (added by the installation process) in /etc/krb5.conf : server ===== [domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL
client
[domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev02.example.local = IPADEV.EXAMPLE.LOCAL .example.local = IPADEV.EXAMPLE.LOCAL example.local = IPADEV.EXAMPLE.LOCAL
Because of various issues (either replication did not work, either clients could not query AD), I had removed entries on the server config (at some point i had .example.local = EXAMPLE.LOCAL but that broke the replication between ipa servers ) and now it looks like that:
[domain_realm] .ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev.example.local = IPADEV.EXAMPLE.LOCAL ipadev04.example.local = IPADEV.EXAMPLE.LOCAL
My question is , how should the [domain_realm] section of the /etc/krb5.conf look like on both ipa server and ipa client ? Is dns_lookup_realm = true and dns_lookup_kdc = true enough in the [libdefaults] section or should these realm be explicitly added ? What are the tradeoffs of not using them ?
First, to make it clear. You should not have IPA servers (replicas) in .example.local. If you'd do, this is unsupported configuration and any bugs you'd see there are your own problems. There is simply no way to support servers from two separate Kerberos realms trusting each other in the same DNS domain.
The configuration for IPA clients in .example.local is described in the FreeIPA wiki's page you already referred in this thread. Anything deviating from it would cause issues, as you are witnessing already.
On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
First, to make it clear. You should not have IPA servers (replicas) in .example.local. If you'd do, this is unsupported configuration and any bugs you'd see there are your own problems. There is simply no way to support servers from two separate Kerberos realms trusting each other in the same DNS domain.
That means that both ipa server and replica should be in the .ipadev.example.local DNS domain (or any other domain different than .example.local) ? I need to mention that I am not using any integrated DNS, but an external one configured in Infoblox. The trust is only one way (ipa trusts AD domain).
The configuration for IPA clients in .example.local is described in the FreeIPA wiki's page you already referred in this thread. Anything deviating from it would cause issues, as you are witnessing already.
On pe, 30 huhti 2021, iulian roman via FreeIPA-users wrote:
On to, 29 huhti 2021, iulian roman via FreeIPA-users wrote:
First, to make it clear. You should not have IPA servers (replicas) in .example.local. If you'd do, this is unsupported configuration and any bugs you'd see there are your own problems. There is simply no way to support servers from two separate Kerberos realms trusting each other in the same DNS domain.
That means that both ipa server and replica should be in the .ipadev.example.local DNS domain (or any other domain different than .example.local) ?
Correct -- in any DNS domain owned by your IPA deployment.
It is unfortunate that there is a confusion between AD domain and DNS domain terminology-wise. AD domain may "own" several DNS domains, as described in the AD domain topology, but it is not required to host DNS services for those, in general. For the purpose of trust to Active Directory, IPA deployment represents a separate AD forest with at least one DNS domain owned by the forest root of IPA (=ipadev.example.local in your case). It may include many others but those DNS domains must not be overlapped with the DNS domains owned by a different AD forest, especially a trusted one.
Who serves DNS domains over DNS protocol is irrelevant here.
Please see [MS-ADOD] for more details and requirements.
I need to mention that I am not using any integrated DNS, but an external one configured in Infoblox. The trust is only one way (ipa trusts AD domain).
[MS-ADOD] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/c3b25d9...
On pe, 30 huhti 2021, iulian roman via FreeIPA-users wrote:
Correct -- in any DNS domain owned by your IPA deployment.
It is unfortunate that there is a confusion between AD domain and DNS domain terminology-wise. AD domain may "own" several DNS domains, as described in the AD domain topology, but it is not required to host DNS services for those, in general. For the purpose of trust to Active Directory, IPA deployment represents a separate AD forest with at least one DNS domain owned by the forest root of IPA (=ipadev.example.local in your case). It may include many others but those DNS domains must not be overlapped with the DNS domains owned by a different AD forest, especially a trusted one.
Who serves DNS domains over DNS protocol is irrelevant here.
Please see [MS-ADOD] for more details and requirements.
[MS-ADOD] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/c3b2...
Thank you Alexander. I have moved the ipa servers in the ipadev.example.local. I now have to figure out how can I SSO between non-ipa clients which are in the DNS domain .example.local (example putty from windows machines in .example.local to Linux ipa clients).
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
iulian roman