I have been trying to get an IPA setup working, and I got to the point where I had a test server with users who could ssh to a joined machine with a single sign on, which was one of my goals. However, I am failing miserably to get a replica machine to join my realm, and some of the error messages I'm seeing while trying have made me suspect that I need to rethink my DNS settings. Here's what I have:
- A linux machine handling local DNS for internal machines with a real domain (piggy.com in my examples). I initially set three entries:
kerberos1.piggy.com (192.168.0.7)
ipa.piggy.com (192.168.0.7)
kerberos2.piggy.com (192.168.0.9)
- Two CentOS 7 virtual machines, kerberos1 & kerberos2.
IPA was installed on kerberos1, using the realm IPA.PIGGY.COM. What I'm suspecting is that, since piggy.com is a real domain with eternal machines like server.piggy.com, I should have set up kerberos1/2 with the FQDN of kerberos1.ipa.piggy.com/kerberos1.ipa.piggy.com. It also seems to me (although I started this process a while ago) that I needed to add ipa.piggy.com to my DNS to get the initial install to work with a client.
So my questions are:
- Given an existing domain, should I set up my IPA servers (masters and replicas) to use FQDNs of the form kerberos1.ipa.piggy.com?
If my realm is IPA.PIGGY.COM, do I need a DNS entry for that? If so, where should it resolve to?