Hi,
Is there a correct way to setup a public/private design using IPA for
Kerberos?
I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses
This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which they use for IPA.
Ex. host/iictyibmls003.nix.infrabel.be(a)NIX.INFRABEL.BE (a 10.x.x.x IP)
For the private 172.16.x.x IP's, I made DNS zones (+reverse) as well,
Hadoop uses DNS a lot.
(.local, in this case adapted to the location)
Ex, iictyibcls002.nix.infrabel.be.bdmzlocal. resolves to 172.16.2.2
The problem: Hadoop now wants to create Kerberos service princiapals for
the .local domain....
I have searched on the mailinglist and other resources, but I am not sure
what the proper 'IPA way' is.
Adding a principal alias does not work (as I expected) --> STDERR: ipa:
ERROR: The host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not exist to
add a service to.
And if I try to add a host first, using correct DNS records (A and PTR) ,
this still results in
2017-07-11 06:57:27,072 - Failed to create principal, HTTP/
iictyibcls002.nix.infrabel.be.bdmzlocal(a)NIX.INFRABEL.BE - Failed to create
service principal for HTTP/
iictyibcls002.nix.infrabel.be.bdmzlocal(a)NIX.INFRABEL.BE
STDOUT:
STDERR: ipa: ERROR: Host 'iictyibcls002.nix.infrabel.be.bdmzlocal' does not
have corresponding DNS A/AAAA record
Was there something about a (kadmin) override?
Thx a lot!
Pieter
Show replies by date