IPA DNS Configuration

Support for security such as Firewalls and securing linux
Post Reply
piggy_op
Posts: 10
Joined: 2017/01/30 21:21:32

IPA DNS Configuration

Post by piggy_op » 2017/06/07 17:10:45

Hi:
I have been trying to get an IPA setup working, and I got to the point where I had a test server with users who could ssh to a joined machine with a single sign on, which was one of my goals. However, I am failing miserably to get a replica machine to join my realm, and some of the error messages I'm seeing while trying have made me suspect that I need to rethink my DNS settings. Here's what I have:

- A linux machine handling local DNS for internal machines with a real domain (piggy.com in my examples). I initially set three entries:
kerberos1.piggy.com (192.168.0.7)
ipa.piggy.com (192.168.0.7)
kerberos2.piggy.com (192.168.0.9)

- Two CentOS 7 virtual machines, kerberos1 & kerberos2.

IPA was installed on kerberos1, using the realm IPA.PIGGY.COM. What I'm suspecting is that, since piggy.com is a real domain with eternal machines like server.piggy.com, I should have set up kerberos1/2 with the FQDN of kerberos1.ipa.piggy.com/kerberos1.ipa.piggy.com. It also seems to me (although I started this process a while ago) that I needed to add ipa.piggy.com to my DNS to get the initial install to work with a client.

So my questions are:
  • Given an existing domain, should I set up my IPA servers (masters and replicas) to use FQDNs of the form kerberos1.ipa.piggy.com?
    If my realm is IPA.PIGGY.COM, do I need a DNS entry for that? If so, where should it resolve to?
Thanks for any advice!
Top
piggy_op
Posts: 10
Joined: 2017/01/30 21:21:32

Re: IPA DNS Configuration

Post by piggy_op » 2017/06/08 12:36:05

To follow up:

After posting the above I ran through the install again a few times and cleared a few errors which were appearing. Although there were still some warnings about DNS, I managed to get the replica synced.

Still, if anyone has any insight about what the best (as opposed to "seems to mostly work") way to configure DNS in this situation is, I'd like to hear it!
Top
MoggotUk
Posts: 1
Joined: 2017/06/08 13:04:36

Re: IPA DNS Configuration

Post by MoggotUk » 2017/06/08 13:17:48

I setup freeIPA using the domain format of ipa1-location01.uk.int.domain.com (Master) and ipa2... as Replica.
Also I setup SRV record in our internal BIND server.
Each server has its own FQDN

Code: Select all

;IPA servers
ipa1-location01      A       10.1.1.1
ipa2-location01      A       10.1.1.2

ipa1-location02      A       10.2.1.1
ipa2-location02      A       10.2.1.2

;SRV record for FreeIPA

_kerberos               IN      TXT     "UK.INT.DOMAIN.COM"

_ldap._tcp              IN   SRV     0 100 389 ipa1-location01
                        IN   SRV     0 100 389 ipa2-location01

_ldaps._tcp             IN   SRV     0 100 636 ipa1-location01
                        IN   SRV     0 100 636 ipa2-location01

_kerberos._tcp          IN   SRV     0 100 464 ipa1-location01
                        IN   SRV     0 100 464 ipa2-location01

_http._tcp              IN   SRV     0 100 80  ipa1-location01
                        IN   SRV     0 100 80  ipa2-location01

_https._tcp             IN   SRV     0 100 443 ipa1-location01
                        IN   SRV     0 100 442 ipa2-location01
_kerberos-adm._tcp      IN   SRV     0 100 749 ipa1-location01
                        IN   SRV     0 100 749 ipa2-location01
Walk without rhythm and we won't attract the worm!
Top
piggy_op
Posts: 10
Joined: 2017/01/30 21:21:32

Re: IPA DNS Configuration

Post by piggy_op » 2017/06/08 20:21:56

Thanks, that's really helpful!
Top
Post Reply

Return to “CentOS 7 - Security Support”