Thank you, that will help.  I don't want to have to go down that road but it's looking more and more like I will have to.


On Tuesday, February 13, 2018 8:34 AM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote:
>Fish the entries?  Can you elaborate on that a bit more?
>Since FreeIPA auto-builds txt records and what not for client
>machines...How did you do that?  Or did you not utilize that?
When you install IPA master without integrated DNS server, IPA installer
will generate you a sample DNS zone for own domain and put it into a
temporary file in /tmp. The name of the file is displayed in the console
output, it looks like /tmp/ipa.system.records.*.db

You can re-generate the same file with the following sequence:

- as root on IPA master run
  ipa -e in_server=True console

  this will open a special IPA console where you can use Python API
  directly. Note that this operation does not require Kerberos ticket
  and does not communicate with IPA framework; instead, it does directly
  talk to IPA LDAP over a local interface as a cn=Directory Manager, so
  be careful what you do there.

- within the console, enter following (>>> indicates where to enter):
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()

- exit console with ctrl-D

You'd get something like this in your terminal:

[root@master ~]# ipa -e in_server=True console
(Custom IPA interactive Python console)
>>> from ipaserver.install import bindinstance
>>> bind = bindinstance.BindInstance(api=api)
>>> bind.create_file_with_system_records()
Please add records in this file to your DNS system: /tmp/ipa.system.records.c3fq4oa1.db
>>> (pressed ctrl-D here)
now exiting InteractiveConsole...

[root@master ~]# cat /tmp/ipa.system.records.c3fq4oa1.db
_kerberos-master._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos-master._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._tcp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos._udp.example.com. 86400 IN SRV 0 100 88 master.example.com.
_kerberos.example.com. 86400 IN TXT "EXAMPLE.COM"
_kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_kpasswd._udp.example.com. 86400 IN SRV 0 100 464 master.example.com.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 master.example.com.
_ntp._udp.example.com. 86400 IN SRV 0 100 123 master.example.com.
ipa-ca.example.com. 86400 IN A SOME-IPv4-ADDRESS


>
>    On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
>
> You can, but you need to add the DNS entries that FreeIPA adds to its domain to your DNS server.
>
>What I did was install FreeIPA in a test environment and fish the entries from there.
>
>On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
>I know I have sent in multiple emails, but we are trying to deploy FreeIPA correctly.  However I am getting asked to find out some other details.  
>Can FreeIPA survive w/o DNS?  We would like to implement FreeIPA and still be able to use the SSH, sudo, selinux, LDAP & krb5.  
>We are moving to AWS and management is afraid that we will have to maintain multiple sets of DNS.  And that if FreeIPA is the focal point for all servers and god for bid it crashes, there goes our whole environment.  They would like to put the zone in R53 and have that handle ALL the records.  If we do go through with not installing DNS w/ FreeIPA will we be shooting ourselves in the foot?  
>I know that FreeIPA relies heavily on DNS and I have seen multiple conversations regarding not to do this, but is this somewhere in the best practices?
>I found this thread from 2015 but I don't think it applies anymore:Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
>
>
>|
>|  |
>Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS
>  |  |
>
>  |
>
>
>
>The problem is that we have 30 domains that we want to use in R53 and he wants to bypass FreeIPA for doing DNS other than for auth and sudo and ldap.  Could we put entries in the /etc/hosts file to point to the FreeIPA servers?  I feel like this might work and might be more problematic down the line.
>Regards,Andrew
>______________________________ _________________
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
>
>
>
>
>
>--
>   ___
> {~._.~}  ( Y )
> ()~*~()  mail: alex at corcoles dot net (_)-(_)  http://alex.corcoles.net/
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>
>
>

>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


--
/ Alexander Bokovoy

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org