[PLUG] Linux centralized authentication

Tyrell Jentink tyrell at jentink.net
Tue Jun 19 19:33:22 UTC 2018 

Yeah, this was a struggle for me, too... Not just the forward domains, but
the reverse zones, too. It all required some thinking, and I think I'm
about to change some of it... But this is what I did at the get-go:

My domain name, let's use example.com, points at my public website, and my
FreeIPA domain is only accessible internally; I just don't have a need to
authenticate outside of the network.

Inside the network, I have three DNS servers... One is just a resolver on a
OPNSense firewall, and lives at 10.0.0.1. That isn't authoritative on any
domain.

The second is FreeIPA, lives at 10.42.1.10 and it serves the lin.example.com
subdomain and the 1.42.10.arpa reverse domain. It has a conditional
forwarder to forward requests under win.example.com to 10.42.2.10

The third is ActiveDirectory, serves the win.example.com subdomain and the
2.42.10.arpa reverse domain. It has a conditional forwarder to forward
requests under lin.example.com to 10.42.1.10.

Both of the authoritative servers point unresolved addresses to the
resolver at 10.0.0.1; It forwards to 1.1.1.1.

You run into problems if any given domain has two authoritative servers;
That is in both the forward and reverse domains, so you have to ensure that
each subdomain has a unique name -AND- a unique IP Address Space.

Does that set you on the right path, or do you need me to retry?

On Tue, Jun 19, 2018, 12:11 Galen Seitz <galens at seitzassoc.com> wrote:

> Dredging up an old thread here...
>
> On 05/02/2018 08:25 PM, Tyrell Jentink wrote:
> > I'm using FreeIPA here at home; As a product, it's really just a bunch of
> > scripts and a web interface for LDAP+Kerberos+Certificate
> management+Samba;
> > It aims to be a complete identity management system, a product designed
> to
> > compete with (Or at the very least, perform an analogous set of tasks to)
> > ActiveDirectory. It is completely open source, developed by Red Hat, for
> > Fedora, and I use it on CentOS, but it is available for a number of other
> > distros.
>
> If you (Tyrell) have the time, could you please describe whether you are
> using the BIND part of FreeIPA, and if so, the DNS architecture of your
> home network?  I've been struggling to come up to speed on this.
>
> I use openwrt as a router on my home network.  dnsmasq is enabled, and
> all of my internal machines have host.example.com names.  If dnsmasq
> doesn't recognize a name, it forwards the lookup upstream to the real
> dns host for my domain.  Given this setup, I tried several naming
> schemes for my ipa server.  With some setups the ipa-server-install
> failed early.  With others, the server install would basically work, but
> then in the client portion it would try to send DNS updates to the
> upstream DNS host.  These updates fail because my upstream DNS host
> isn't configured to expect updates.  My understanding is that these
> updates shouldn't be going to this host anyway.
>
> What finally worked for me was to create a separate subdomain.  I named
> my ipa server ipa-1.ipa.example.com, and my ipa domain ipa.example.com
> (with the Kerberos realm named IPA.SEITZASSOC.COM).  I had to add a
> server option in dnsmasq on my openwrt box to tell it to forward lookups
> in the ipa.example.com domain to my ipa server.
>
> Note that example.com is just an example.  I was using my actual domain
> name above.
>
> thanks,
> galen
> --
> Galen Seitz
> galens at seitzassoc.com
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list