ipa trust-add command recommends DNS forwarder set-up but it should recommend normal DNS delegation in first place. Forwarders should be option of last resort.
ipa trust-add
Current output:
[root@cypher ~]# ipa trust-add --type=ad adlab.qe --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: Unable to resolve domain controller for 'adlab.qe' domain. Additional instructions: IPA manages DNS, please configure forwarder to 'adlab.qe' domain using following CLI command. Make sure to replace DNS_SERVER and IP_ADDRESS by actual values corresponding to the trusted domain's DNS server: ipa dnszone-add adlab.qe --name-server=[DNS_SERVER] --admin-email='hostmaster@adlab.qe' --force --forwarder=[IP_ADDRESS] --forward-policy=only When using Web UI, please create DNS zone for domain 'adlab.qe' first and then set forwarder and forward policy.
It should say somenthing like:
IPA manages DNS, please create delegation records (NS + A or AAAA records) for AD managed DNS domains. NS record for name 'adlab' in zone 'qe' should countain *name* of AD name server. A or AAAA glue records for AD name server have to be created to ensure proper name server resolution. If you set global forwarders (in named.conf or in LDAP) to value different from your AD server then you should specify forward policy to 'none' for zone 'qe.'. Implicit policy 'first' will send all queries to global forwarders and NS records will be ineffective. You can set DNS forwarding up if you can't create delegation records for some reason. ... original text follows ...
Clean the message, reference the docs and open a doc bug with the instructions and recommendations for the specific typical setups and use cases.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=878485
master: a9bac3d
ipa-3-0: 6e26bf3
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @pspacek: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.