Archy's Blog

I've written about how to set up a FreeIPA instance and replica for managing your sudo-rules, hbac-rules, users, groups and DNS Zones. Since hardware (and I recommend using mostly hardware for your deployment) ages, you'll have to replace them once in a while and sometimes the replica join might not go as smooth as expected. I'll cover how to fix two problems that occurred to me after I decommissioned my original master Server. First problem, dnarange was not set on the new replica after decommissioning the original master The dnarange is basically your user- and group-id range. If there's no range there and you're trying to create a user, your command will fail with an error saying that there's no dnarange available. In order to fix this, run the following commands: Get the user-id of your admin user which always uses the first available uid in the dnarange when being installed: [archy@ipa03 ~]$ ipa user-show admin | egrep -i 'uid|gid'

I've recently made a PoC at work where I build a scalable DNS Infrastructure. Please note that while the schematic includes the Windows Network, I will not go into detail with that one since this is out of scope. Linux Datacenter (internal zones only): FreeIPA / Red Hat IDM is a full identity management solution by Red Hat which integrates the following components: - 389-DS - Krb5kdc - Bind Nameserver - Dogtag CA - Certmonger This is a nice feature pack but I will only focus on the DNS part for now. The bind nameserver will handle internal domains and external forwarding in this setup. Authoritative DNS (external zones only): Knot-DNS is a high-performance authoritative DNS Server. That means, it just covers the zones itself knows about and is authoritative for. It will not forward DNS Queries to its upstream hosts. Now, let's jump into what needs to be done to make this setup reality. I'll start by setting up the Knot-Servers. Start by setting up th