On ma, 22 heinä 2019, Raul Gomez via FreeIPA-users wrote:
This is the command I'm using to enroll the clients:
ipa-client-install -v --enable-dns-updates --mkhomedir --domain=pro.mydomain.local
--hostname=client-1.pro.mydomain.local
Why I'm forcing the --domain parameter? In order to enroll the clients
with the appropriate DNS zone for their respective domain.
This is wrong.
As ipa-client-install documentation says, --domain option points to the
primary IPA domain for this deployment. "Primary" means the one equal to
IPA Kerberos realm. The primary domain is the one that is used to create
a base DN in LDAP:
example.com -> dc=example,dc=com
You can deploy clients in other DNS domains without any problem but
you'd need to follow few rules so that auto-discovery would work, they
all covered in the man page for ipa-client-install, section 'DNS
autodiscovery'.
Once those machines deployed, they can ask for certificates using their
hostname and there will be no problem on issuing ones.
If you have systems that cannot directly communicate, make sure to
deploy masters in both segments and allow them communicating with each
other, then define IPA locations to make sure clients are preferring
their own location's servers. Make sure to include CA replicas too at
both locations. There are also few more nuances that you can see in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland