On ti, 27 marras 2018, 74cmonty via FreeIPA-users wrote:
Hi Florence,
I intend to define a subdomain for each network, e.g.
DMZ = dmz.<mydomain>.de (10.0.0.0/24) -> VLAN
LAN = local.<mydomain>.de (192.168.1.0/24)
SHZ = smz.<mydomain>.de (Smart Home Network) (10.0.10.0/28) -> VLAN
Does this make sense to you?
Or is this an overkill?
There is no specific reason to object here, from FreeIPA
point of view,
of course.
Look at ipa-client-install's manual page:
-------------------------------------------------
DNS Autodiscovery
Client installer by default tries to search for _ldap._tcp.DOMAIN
DNS SRV records for all domains that are parent to its hostname.
For example, if a client machine has a hostname
'client1.lab.example.com', the installer will try to retrieve an
IPA server hostname from
_ldap._tcp.lab.example.com,
_ldap._tcp.example.com and
_ldap._tcp.com DNS SRV records,
respectively. The discovered domain is then used to configure
client components (e.g. SSSD and Kerberos 5 configuration) on the
machine.
When the client machine hostname is not in a subdomain of an
IPA server, its domain can be passed with --domain option. In
that case, both SSSD and Kerberos components have the domain set
in the configuration files and will use it to autodiscover IPA
servers.
Client machine can also be configured without a DNS autodiscovery
at all. When both --server and --domain options are used, client
installer will use the specified server and domain directly.
--server option accepts multiple server hostnames which can be
used for failover mechanism. Without DNS autodiscovery, Kerberos
is configured with a fixed list of KDC and Admin servers. SSSD
is still configured to either try to read domain's SRV records or
the specified fixed list of servers. When --fixed-primary option
is specified,
SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for details).
-------------------------------------------------
So it is irrelevant where the client is -- pass --domain <IPA primary domain>
to ipa-client-install and it will be discovered automatically.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland