In situation when host (future client or future server) is not in IPA domain installer add mapping of host's domain to IPA realm. We know nothing about host's domain and should not assume all resources there are enrolled to IPA.
Steps to reproduce:
[ipa-srv.example.org] # ipa-server-install -a Secret123 -p Secret123 -r IPA.EXAMPLE.ORG --domain ipa.example.org -U
Actual content of [domain_realm] section of krb5.conf:
.ipa.example.org = IPA.EXAMPLE.ORG ipa.example.org = IPA.EXAMPLE.ORG ipa-srv.example.org = IPA.EXAMPLE.ORG .example.org = IPA.EXAMPLE.ORG example.org = IPA.EXAMPLE.ORG
Expected content of [domain_realm] section of krb5.conf:
.ipa.example.org = IPA.EXAMPLE.ORG ipa.example.org = IPA.EXAMPLE.ORG ipa-srv.example.org = IPA.EXAMPLE.ORG
Additional info: client-install code: https://pagure.io/freeipa/blob/8960398a57f69c124ec3105289dc355baa0d5b09/f/ipaclient/install/client.py#_730-735 server-install code: https://pagure.io/freeipa/blob/8960398a57f69c124ec3105289dc355baa0d5b09/f/ipaserver/install/krbinstance.py#_227-239
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7
Pointing back to: https://pagure.io/freeipa/issue/2006
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Login to comment on this ticket.