dns_lookup_kdc and dns_lookup_realm are set to false in krb5.conf when --server argument provided in ipa-client-install.
[root@f17-ipa4 ~]# ipa-client-install --domain=testrelm.com --realm=TESTRELM.COM -p admin -w xxxxxxx --unattended --server=f17-ipa1.testrelm.com Hostname: f17-ipa4.testrelm.com Realm: TESTRELM.COM DNS Domain: testrelm.com IPA Server: f17-ipa1.testrelm.com BaseDN: dc=testrelm,dc=com Synchronizing time with KDC... Enrolled in IPA realm TESTRELM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm TESTRELM.COM trying https://f17-ipa1.testrelm.com/ipa/xml Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server 'http://f17-ipa1.testrelm.com/ipa/xml' SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@f17-ipa4 ~]# [root@f17-ipa4 ~]# cat /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = TESTRELM.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] TESTRELM.COM = { kdc = f17-ipa1.testrelm.com:88 master_kdc = f17-ipa1.testrelm.com:88 admin_server = f17-ipa1.testrelm.com:749 default_domain = testrelm.com pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .testrelm.com = TESTRELM.COM testrelm.com = TESTRELM.COM [root@f17-ipa4 ~]#
Here dns_lookup_kdc and dns_lookup_realm are set to false in krb5.conf. Not sure of this current behaviour as existing automation scripts are failing now which expects these fields to be true. is this expected behaviour now?
These are set to true when no --server argument provided.
rpm version: ============ [root@f17-ipa4 ~]# rpm -qa|grep freeipa* freeipa-client-2.99.0-0.20121003T1722Zgit5bf1cee.fc17.x86_64 freeipa-python-2.99.0-0.20121003T1722Zgit5bf1cee.fc17.x86_64 freeipa-admintools-2.99.0-0.20121003T1722Zgit5bf1cee.fc17.x86_64 [root@f17-ipa4 ~]#
Please find the attached ipa-client-install.log file.
attachment ipaclient-install.log
IMO this is how it should be because when you have --server you explicitly turn off DNS lookups.
This is how it should work.
Metadata Update from @ksiddiqu: - Issue assigned to someone - Issue set to the milestone: FreeIPA 3.0 GA
Login to comment on this ticket.