FreeIPA domain question - getting things right before I start

[el_pedr0]

I'm fed up of copying my users across everytime I create a new VM, so am about to set up a FreeIPA system at home. This will manage only the handful of users on my home LAN.

I'm going to follow this guide How To Set Up Centralized Linux Authentication with FreeIPA on CentOS 7 | DigitalOcean

But I'm unsure what I need to set up for a domain. I now have three kinds of domains:
Domain 1)
I've got an asus AC68U router which allows me to set an internal domain (e.g. myhome.lan) so within my lan I could refer to a host (e.g. thishost) with the address thishost.myhome.lan.

Domain 2)
My router also allows me to use asus dynamic dns service asuscomm.com, so I can access my router from the WAN using something like myhomedyndns.asuscomm.com

Domain 3)
I have also registered a real domain at freenom. So I've actually got a domain like www.myrealdomain.tk.

But as part of the registration process, I had to either set some forwarding rules using A records, or redirection using dns. So I chose redirection to my asus dynamic dns service (myhomedyndns.asuscomm.com).

So what domain do I use as I set up the FreeIPA server?

 

[Jon Massey]

It's usual to use an "internal" domain (x.local is the convention with MS AD) or your primary externally-resolvable domain for internal use. I'd go for the former, personally, to keep DNS configuration simpler.

 

[DavidRa]

Just a note though - it's no longer recommended to use .local for AD - while that was the recommendation, MS changed their minds with the rise of bonjour and mDNS - as I understand it, they assume .local is not available in DNS and therefore fail to resolve names using your internal DNS servers.

Instead I'd recommend a subdomain of your public domain (which is what I do) - I ended up migrating from publicname.net for the public side and "middle.earth" for internal because .earth suddenly became available to the public (I built that AD domain in 1997). Now I have publicname.net for Internet-addressable resources and int.publicname.net for internal - though I am paraphrasing slightly here too.

 

[mstone]

Instead I'd recommend a subdomain of your public domain

Yes, always use a name that you own, because these days anything you don't own is liable to suddenly be used by someone else. If you have a ton of money (google) you can just buy a TLD to avoid having to reconfigure things when rules for names change, but for anyone else it's best to just avoid the problem by sticking with things actually under your control.

 

[el_pedr0]

Thanks all. I'll use the freenom domain and I've changed my internal domain to be a subdomain of that freedom domain.

Please could you help with another question...
During installation it asks:
'Do you want to configure integrated DNS (BIND)?'

Should I use the integrated DNS or not? At the moment, my internal routing is handled by my Asus A68U, which has done all that I needed it to. Is there any reason I should have the FreeIPA take over DNS duties?

The only DNS related thing on my wish list at some point is to be able to refer to services on ports via a friendly name. For example I run a logitech media server, which is currently accessed at 'myhost.internal.lan:9000'. But I would really like to set up some way of accessing it with an alias such as myhost.internal.lan/lms. From what I've gathered so far, this might be possible with some sort of reverse DNS.

 

[mstone]

Should I use the integrated DNS or not? At the moment, my internal routing is handled by my Asus A68U, which has done all that I needed it to. Is there any reason I should have the FreeIPA take over DNS duties?

The question is why would you not. If you use the integrated DNS then FreeIPA will handle the records for service discovery (things like the kerb & ldap servers, etc), and can be a one stop shop for adding new hosts to the network. Also possible to do things like dynamic registration integrated with DHCP. The main reason to skip all that (and handle at least some of the service records manually) is if you have an existing hierarchy you don't want to touch; if you just have a single box doing DNS forwarding it's probably easier to just let freeipa do its thing.

 

[el_pedr0]

OK great. I'm a bit of a network neanderthal, but trying to evolve as quickly as possible. So I'll take the plunge and move from the effortless pre-configured safety of the router doing my internal DNS stuff, to configuring freeIPA do it all. Afterall, the whole reason is to make the provisioning of new hosts much simpler.

So next couple of questions if I may...

1) I believe I'll face the following questions during installation:

Server host name: freeipa.internal.domain.tk
Please confirm the domain name:

Remember for my lan I'm now proposing to use a subdomain (internal.domain.tk) of my publically available domain (domain.tk) which I got from freenom. So when asked to confirm the domain name, do I enter internal.domain.tk or domain.tk?

2) Also during configuration of the DNS during installation, I think I'll be asked:

Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [122.168.192.in-addr.arpa.]

From what I understanding so far, this is something to do with translating the IP address into its corresponding URL (hence the 'reverse' bit). But my understanding is shaky at best. How should I answer these questions?

 

[mstone]

Remember for my lan I'm now proposing to use a subdomain (internal.domain.tk) of my publically available domain (domain.tk) which I got from freenom. So when asked to confirm the domain name, do I enter internal.domain.tk or domain.tk?

internal.domain.tk

2) Also during configuration of the DNS during installation, I think I'll be asked:

Do you want to configure the reverse zone? [yes]:
Please specify the reverse zone name [122.168.192.in-addr.arpa.]

From what I understanding so far, this is something to do with translating the IP address into its corresponding URL (hence the 'reverse' bit). But my understanding is shaky at best. How should I answer these questions?

yes, it allows the hostname to be resolved from the IP address. assuming all your IPs are 192.168.122.x, then the default is fine. If you're using multiple networks (e.g., 192.168.122.x as well as 192.168.123.x) then change the reverse zone name to 168.192.in-addr.arpa.

 

[el_pedr0]

Thanks @mstone.

Hmm. When at home, I'm all on one network e.g. 192.168.122.x. But I've also got OpenVPN set up as TUN so when I VPN in, my client gets assigned an IP 192.168.244.x. I've only just set up this VPN, so am using it in very simple ways so far - e.g. to access some Samba shares using my windows laptop or Android phone, which presumably won't be managed by FreeIPA. I guess those use cases won't have any bearing on FreeIPA (or will they, given I'm accessing files that have permissions associated with them?) . Clearly I still haven't got my head around this completely yet.

Given that (sketchy) description, is it obvious which reverse zone name I should use (i.e. 122.168.192.in-addr.arpa or 168.192.in-addr.arpa)?

 

[mstone]

you can just take the default, it's easy to add other zones after installation

 

[el_pedr0]

Right, so I ve got my freeipa server up and running. But now I'm at a bit of a loss as to how to implement it across my hosts.

I'm vaguely aware that I have to install the client software on the various machines but I don't really know whether it's possible to 'import' my existing users. To date I've ensured that my users are the same with the same gids and uids on all machines. This post on ars technica hints at some clever way of doing it, but I wouldn't know how to start.

Any advice as to my next steps to roll out my shiny new freeipa server?