On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote:
Hi Alexander,
You're correct, turns out I wasn't using the correct domain for the
--domain parameter. I thought I was. Here's the command I used.
ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates --mkhomedir
--domain=ipa.ad.com --realm=IPA.AD.COM --no-ntp --debug
All of my client hostname are set as "hostname.domain.ad.com", I didn't
know that in itself that was enough of a requirement to join them to
FreeIPA. Of course, given that the domain is also present in freeipa and
the AD trust has been established AFTER the domain was added to freeipa.
I haven't tested yet without the realm parameter. It is possible that I
don't need --domain nor --realm parameters ? Does that require the creation
of *_ldap._tcp.* srv records in
domain.ad.com dns zone?
Taken from the man page:
*When the client machine hostname is not in a subdomain of an IPA server,
its domain can be passed with --domain
<
https://www.mankier.com/1/ipa-client-install#--domain> option. In that
case, both SSSD and Kerberos components have the domain set in the
configuration files and will use it to autodiscover IPA servers.*
That line miss directed me, not sure if that's my interpretation.
Documentation could benefit from being clearer and having examples.
Since you had to deal with this kind of setup from a user perspective,
would you mind proposing a better wording?
Setting krb5_auth_timeout to 120 seconds is also required in my environment
as we're dealing with AD DC spreaded all over the globe. To make kerberos
negotiation faster, I assume I could specify my
AD.COM realm in
/etc/krb5.conf with my local site AD DC ?
Yes, currently this is needed. Using the 'site affinity' on the clients
is on the roadmap, but not implemented yet.