Hello Guys, I just recently configured my IPA server on its own subdomain within my active directory environment and established trust between AD and Free IPA. Windows users can now SSH to my Free IPA server.
I now want to configure my existing Debian server which is on my AD domain so AD users can SSH to it . I have read through the following documentation to enroll my Debain box on my AD domain to Free IPA (https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain) and seem to be confusing myself. I am no linux expert and have been learning on the fly.
I have tried running the following command and got these results and was under the impression that the DNS domain should be example.com? If someone could please provide some simple steps and confirm what I should expect that would help me get my head around it.
*****************************************************************************************
ipa-client-install --domain linux.example.com --enable-dns-updates
This program will set up FreeIPA client. Version 4.7.2
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Discovery was successful! Client hostname: Server.example.com Realm: LINUX.EXAMPLE.COM DNS Domain: linux.example.com IPA Server: IPA01.linux.example.com BaseDN: dc=linux,dc=example,dc=com
Thank you as always, Ash
Hi, the following blog post describes your situation and may help understand the issues with linux hosts enrolled to IPA while their domain name belongs to AD: https://www.redhat.com/en/blog/i-really-cant-rename-my-hosts
Hope this clarifies, flo
On Wed, Apr 28, 2021 at 7:49 AM Ash Ryder via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello Guys, I just recently configured my IPA server on its own subdomain within my active directory environment and established trust between AD and Free IPA. Windows users can now SSH to my Free IPA server.
I now want to configure my existing Debian server which is on my AD domain so AD users can SSH to it . I have read through the following documentation to enroll my Debain box on my AD domain to Free IPA ( https://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain) and seem to be confusing myself. I am no linux expert and have been learning on the fly.
I have tried running the following command and got these results and was under the impression that the DNS domain should be example.com? If someone could please provide some simple steps and confirm what I should expect that would help me get my head around it.
ipa-client-install --domain linux.example.com --enable-dns-updates
This program will set up FreeIPA client. Version 4.7.2
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Discovery was successful! Client hostname: Server.example.com Realm: LINUX.EXAMPLE.COM DNS Domain: linux.example.com IPA Server: IPA01.linux.example.com BaseDN: dc=linux,dc=example,dc=com
Thank you as always, Ash _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
So i enrolled with the below settings and didn't make and changes with regards to the KRB5KDC.Conf or add a Cname record and can authenticate with my AD user account and obtain a ticket to this client. I thought i wouldn't be able to without these settings changed. Am i missing something with regards to SSO? if I just want to manage access to my Linux machines is this setup okay? what ability do i loose?
ipa-client-install --domain linux.example.com --enable-dns-updates
This program will set up FreeIPA client. Version 4.7.2
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Discovery was successful! Client hostname: Server.example.com Realm: LINUX.EXAMPLE.COM DNS Domain: linux.example.com IPA Server: IPA01.linux.example.com BaseDN: dc=linux,dc=example,dc=com
Ash Ryder via FreeIPA-users wrote:
So i enrolled with the below settings and didn't make and changes with regards to the KRB5KDC.Conf or add a Cname record and can authenticate with my AD user account and obtain a ticket to this client. I thought i wouldn't be able to without these settings changed. Am i missing something with regards to SSO? if I just want to manage access to my Linux machines is this setup okay? what ability do i loose?
ipa-client-install --domain linux.example.com --enable-dns-updates
This program will set up FreeIPA client. Version 4.7.2
WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd
Discovery was successful! Client hostname: Server.example.com Realm: LINUX.EXAMPLE.COM DNS Domain: linux.example.com IPA Server: IPA01.linux.example.com BaseDN: dc=linux,dc=example,dc=com
ipa-client-install configures the machine to work with Kerberos (e.g. updates /etc/krb5.conf).
I don't know what you mean about a DNS cname but one should generally not be required.
rob
freeipa-users@lists.fedorahosted.org
-
Ash Ryder -
Florence Renaud -
Rob Crittenden