Discussion:
[Freeipa-users] Auto create kerberos/ldap SRV records on subdomain
Matt .
2017-04-04 18:35:42 UTC
Permalink
Hi guys,

Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.

I hope someone has a solution.

Thanks!

Matt
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-04 18:48:22 UTC
Permalink
Post by Matt .
Hi guys,
Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.
I hope someone has a solution.
Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
2017-04-04 18:50:16 UTC
Permalink
Hi Alexander,

Superb, thanks a lot for this quick fix!

Matt
Post by Alexander Bokovoy
Post by Matt .
Hi guys,
Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.
I hope someone has a solution.
Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
2017-04-08 21:51:23 UTC
Permalink
I have tested this but the hosts don't get an enrolled status. I have
tried _kerberos TXT "MYREAL.DOMAIN.TLD" and without the quotes. I
can't see any logging about it. Any idea ?

Thanks!

Matt
Post by Matt .
Hi Alexander,
Superb, thanks a lot for this quick fix!
Matt
Post by Alexander Bokovoy
Post by Matt .
Hi guys,
Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.
I hope someone has a solution.
Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
2017-04-08 22:36:29 UTC
Permalink
As far as I can find out I need a _ldap._tcp SRV 0 100 389
ipa-01.mydomain.tld. in my subdomain, is there no more "general" way
to catch them all ?
Post by Matt .
I have tested this but the hosts don't get an enrolled status. I have
tried _kerberos TXT "MYREAL.DOMAIN.TLD" and without the quotes. I
can't see any logging about it. Any idea ?
Thanks!
Matt
Post by Matt .
Hi Alexander,
Superb, thanks a lot for this quick fix!
Matt
Post by Alexander Bokovoy
Post by Matt .
Hi guys,
Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.
I hope someone has a solution.
Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Matt .
2017-04-08 23:53:25 UTC
Permalink
OK, cname does it's thing :)
Post by Matt .
As far as I can find out I need a _ldap._tcp SRV 0 100 389
ipa-01.mydomain.tld. in my subdomain, is there no more "general" way
to catch them all ?
Post by Matt .
I have tested this but the hosts don't get an enrolled status. I have
tried _kerberos TXT "MYREAL.DOMAIN.TLD" and without the quotes. I
can't see any logging about it. Any idea ?
Thanks!
Matt
Post by Matt .
Hi Alexander,
Superb, thanks a lot for this quick fix!
Matt
Post by Alexander Bokovoy
Post by Matt .
Hi guys,
Is it possible to create in a simple way the SRV domains for kerberos
on subdomains ? it's a pain to add them all manually when you have a
lot of subdomains.
I hope someone has a solution.
Create TXT record _kerberos.sub.domain.tld that contains name of your
Kerberos realm in upper case. For MIT Kerberos clients this is enough to
discover their proper Kerberos realm and DNS domain for SRV record
discovery.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...