Link to home
Start Free TrialLog in
Avatar of Jasmin shahrzad
Jasmin shahrzad

asked on

move from dns *.local to *.lokal

i have an samba 4 active directory on ubuntu 16.04. my domain on this server is example.local and i have all user and client in this domain
i have install ipa-free on centos 8 and my dns on this server is example.lokal and i have only admin in this server (no user is moved to this yet)
how to move all user and computer from domain *.local (on ubuntu) to *.lokal  ?
Avatar of ste5an
ste5an
Flag of Germany image

hmm, what's the use-case for doing this?

You know, this may break some functionality of .local?
Avatar of Jasmin shahrzad
Jasmin shahrzad

ASKER

problem is (from start) i have an *.local domain and dns. customer want to move to ipa-free (centos) functionality.
i try to install ipa with and without ipa-dns and try to crate a trust certificate between ipa-free and samba domain.
trust it's not working.
Then i install ipa in other domain (*.lokal) and want add  *.local to ipa without user move out and move in from one to another domain.
it meand existing user just be on .local and have a c-name in other dns(*.lokal) and new user created in *.lokal.
ASKER CERTIFIED SOLUTION
Avatar of ste5an
ste5an
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
sorry i don't understand. Would you please explain?
i have company.lokal in free-ipa and company.local from samba
do you mean create a company.local as sub domain in company.lokal in free-ipa?
No, I don't see a reason for having two domains at all.

btw, for copying users: Migration from different identity management solution.
.local is far more than "just a TLD". It implies mdns (multicast DNS) for example.
Some DNS servers will refuse to do .local domains without some special configuration setting acknowledging this fact you realy want to break this.
Where to start... Read all the above comments, as they're all important.

Next, as noci suggested, moving to *.lokal may produce a massive amount of subtle problems you'll be debugging for many months.

Likely best to move all *.local handling over to your CentOS 8 system.

Or better, don't use *.local at all. Use real host + domains internally.

The IP Stack routing function will auto-magically route local requests through fastest route, so the days are long gone when there's any performance win for doing this.

If you use real host + domain names (fully qualified), this also means all your HTTPS + IMAPS + other secure type protocols use public certs, rather than having the problem of managing a Private CA.

Tip: Always best to keep things simple.
I'll tip my toes into getting the trust relationship setup.
One option is to add to the free-IPA DNS side an explicit zone for company.local to avoid it going externally.

Adding the certificate from the company.local as trusted on the other side and the same in reverse.

Renaming/changing the domain in the samba setup, that needs to correspond to changes in the DNS.
And can get involved.
i am confuse now. :-) .
i do not have any website or certificate in *.local just all server (ubuntu, centos ) and linux client and 2 station pc in windows 10.
 .local domain are only visible within a local network.
all site and certificate is under .com and .net. in the later case customer want to delete samba domain and using
only ipa-free. then i create .lokal because i can't create .local in ipa (dns already exist).
I try to  install trust in ipa server and samba server ( from this doc : https://bgstack15.wordpress.com/2017/05/10/samba-share-with-freeipa-auth/) but ity's not working.
in worst-case i can delete user in .local and join it in .lokal or .net or what ever.
i will first try to not involve user  and client.  

@ste5an, if i used migration tools, and move from .local to .lokal which domain my user need to login?
@Jasmin,    WIndows Domains use SSL for security so by definition X.509 certificates are involved.
When a domain is created & joined all certificates and the trusting of the CA certificates with it are done by  the tools used for that and the kerberos security domain is setup as well.
If mycompany.local already is a domain:    You can opt for a domain like mycompany2.local and use free-ipa for that domain, or setup something like:   central.mycompany.local.  In the long run (if you also expect external customers to connect to your site) maybe mycompany.net is a viable solution.
Yes company.local is a domain (samba domain in ubuntu 16). i can change .lokal domain to .net it's a new one.
but .net or com is not my problem. the issue is how to move user to .net without to delete from one domain and add to another?
The reference to the domain is based on your DC, renaming the domain on the DC should be reflected on the clients.
I've not gone testing a change through a setup such as you have, so can not say that it is easy...

If memory serves you had setup with different storage openldap or tdsdbm where the data is stored.

The update would need to rename the zone for DNS references........
DHCP to push the correct search domain.

If you can test in a lab a rename...

IMHO, focusing on the issue of establishing trust whether the signing CA cert or the certificate can be added as trusted through the OpenSSL/PKI setup....

Beyond that do not have a demonstrable solution.
additionally , .lokal is not something you should use. .local is the recommendation, .lan is also reserved for such personal uses, .lokal may well be an actual tld in the future.