[root@ipa-01 /]# cat /etc/named/ipa-options-ext.conf
/* User customization for BIND named
 *
 * This file is included in /etc/named.conf and is not modified during IPA
 * upgrades.
 *
 * It must only contain "options" settings. Any other setting must be
 * configured in /data/etc/named/ipa-ext.conf.
 *
 * Examples:
 * allow-recursion { trusted_network; };
 * allow-query-cache { trusted_network; };
 */

/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
listen-on-v6 { any; };

/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation no;
allow-query { any; };
[root@ipa-01 /]# systemctl status | grep name
           ├─948 grep --color=auto name
             ├─named-pkcs11.service
             │ └─286 /usr/sbin/named-pkcs11 -u named -c /etc/named.conf
[root@ipa-01 /]# systemctl restart named-pkcs11

podman stop `podman ps -q` #停止刚才交互式运行的容器。
podman run \
--rm \
--shm-size=2GB \
--name ipa-01.icinfra.cn \
--net host \
-d \
-h ipa-01.icinfra.cn \
--read-only \
-e PASSWORD=Secret123 \
-v /data/ipa-data:/data:Z \
--dns=127.0.0.1 \
-e TZ=Asia/Shanghai \
-v /etc/localtime:/etc/localtime:ro \
--add-host=ipa-01.icinfra.cn:172.16.0.13 \
docker.io/freeipa/freeipa-server:almalinux-8 \
--allow-zone-overlap \
--no-ntp

[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# cat /etc/resolv.conf
; Created by cloud-init on instance boot automatically, do not edit.
;
# Generated by NetworkManager
search lan icinfra.cn
nameserver 172.16.0.13
[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# ipa-client-install --hostname=ipa-client-001.icinfra.cn --server=ipa-01.icinfra.cn --domain=icinfra.cn --realm=ICINFRA.CN --principal=admin --password=Secret123 --unattended
This program will set up IPA client.
Version 4.9.12

Client hostname: ipa-client-001.icinfra.cn
Realm: ICINFRA.CN
DNS Domain: icinfra.cn
IPA Server: ipa-01.icinfra.cn
BaseDN: dc=icinfra,dc=cn

Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=ICINFRA.CN
    Issuer:      CN=Certificate Authority,O=ICINFRA.CN
    Valid From:  2023-12-17 03:55:11
    Valid Until: 2043-12-17 03:55:11

Enrolled in IPA realm ICINFRA.CN
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (ipa-client-001.icinfra.cn) does not have A/AAAA record.
Missing reverse record(s) for address(es): 172.16.0.78.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring icinfra.cn as NIS domain.
Configured /etc/krb5.conf for IPA realm ICINFRA.CN
Client configuration complete.
The ipa-client-install command was successful
[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# id admin
uid=196400000(admin) gid=196400000(admins) groups=196400000(admins)