Discussion:
[Freeipa-users] install IPA replica multi-hosts (ipa packages version 3.3.3-18)
a***@free.fr
2014-03-07 13:16:07 UTC
Permalink
Hi,

I want to install ipa server with a replica. The replica has 2 NICs : the ipa
server is connected on the first interface and all the clients are connected on
the second interface. The two networks are completely separated, 2 subnets and
not routed.

I'am wondering if this kind of configuration is supported with IPA.

Ipa server has been installed with success on the first interface:


First, I prepared the replica on its first interface name (that which is on the
same network as the ipa server), install it with success. In this case the
ipa-client-install fails;
See below ==== errors ipacli1 ====

Second, I prepared the replica on its second interface name (that which is on
the same network as the ipa client). This case is worst I'm even not able to
install the replica. The installation fails with the following errors , see
below ==== errors iparpl2 ====

Thanks a lot for your help.

===================================== errors ipacli1
=====================================
- messages in screen or std output:
Skip iparpl1.blue.mydomain: cannot verify if this is an IPA server
Failed to verify that iparpl1.blue.mydomain is an IPA Server.

- messages in log /var/log/ipaclient-install.log:
2014-03-07T12:20:24Z DEBUG [LDAP server check]
2014-03-07T12:20:24Z DEBUG Verifying that iparpl1.blue.mydomain (realm None) is
an IPA server
2014-03-07T12:20:24Z DEBUG Init LDAP connection to: iparpl1.blue.mydomain
2014-03-07T12:20:29Z DEBUG wait_for_open_ports: iparpl1.blue.mydomain [389]
timeout 10
2014-03-07T12:20:34Z DEBUG Error checking LDAP: [Errno -2] Name or service not
known
2014-03-07T12:20:34Z WARNING Skip iparpl1.blue.mydomain: cannot verify if this
is an IPA server

- check in iparpl1
[***@iparpl1 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful

[***@iparpl1 ~]# ldapsearch -x -H ldap://iparpl1.blue.mydomain:389 -W -ZZ
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
[***@iparpl1 ~]# ldapsearch -x -H ldap://iparpl1.mydomain:389 -W –ZZ
OK

===================================== errors iparpl2
=====================================
- messages in screen or std output
KO normal because the master doesn't connect to replica in second interface
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'iparpl2.green.mydomain':
Directory Service: Unsecure port (389): FAILED
Directory Service: Secure port (636): FAILED
Kerberos KDC: TCP (88): FAILED
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): FAILED
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): FAILED
HTTP Server: Secure port (443): FAILED
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.

Remote master check failed with following error message(s):
Warning: Permanently added 'ipasrv.mydomain,110.0.0.2' (ECDSA) to the list of
known hosts.
Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
(TCP), 80 (TCP), 443 (TCP)
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
Petr Spacek
2014-03-07 14:45:46 UTC
Permalink
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2 NICs : the ipa
server is connected on the first interface and all the clients are connected on
the second interface. The two networks are completely separated, 2 subnets and
not routed.
I'm curious - what is the reasoning behind this? :-)
Post by a***@free.fr
I'am wondering if this kind of configuration is supported with IPA.
First, I prepared the replica on its first interface name (that which is on the
same network as the ipa server), install it with success. In this case the
ipa-client-install fails;
See below ==== errors ipacli1 ====
See my reply below :-)
Post by a***@free.fr
Second, I prepared the replica on its second interface name (that which is on
the same network as the ipa client). This case is worst I'm even not able to
install the replica. The installation fails with the following errors , see
below ==== errors iparpl2 ====
I'm not sure I understand what you did.

You have installed the replica on one machine and then you have tried to
install the replica again on the same machine? I guess I have misunderstood
something ...
Post by a***@free.fr
Thanks a lot for your help.
===================================== errors ipacli1
=====================================
Skip iparpl1.blue.mydomain: cannot verify if this is an IPA server
Failed to verify that iparpl1.blue.mydomain is an IPA Server.
2014-03-07T12:20:24Z DEBUG [LDAP server check]
2014-03-07T12:20:24Z DEBUG Verifying that iparpl1.blue.mydomain (realm None) is
an IPA server
2014-03-07T12:20:24Z DEBUG Init LDAP connection to: iparpl1.blue.mydomain
2014-03-07T12:20:29Z DEBUG wait_for_open_ports: iparpl1.blue.mydomain [389]
timeout 10
2014-03-07T12:20:34Z DEBUG Error checking LDAP: [Errno -2] Name or service not
known
The problem is that your client can't resolve name of the server.
Post by a***@free.fr
2014-03-07T12:20:34Z WARNING Skip iparpl1.blue.mydomain: cannot verify if this
is an IPA server
- check in iparpl1
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
OK
===================================== errors iparpl2
=====================================
- messages in screen or std output
KO normal because the master doesn't connect to replica in second interface
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Directory Service: Unsecure port (389): FAILED
Directory Service: Secure port (636): FAILED
Kerberos KDC: TCP (88): FAILED
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): FAILED
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): FAILED
HTTP Server: Secure port (443): FAILED
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Warning: Permanently added 'ipasrv.mydomain,110.0.0.2' (ECDSA) to the list of
known hosts.
Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
(TCP), 80 (TCP), 443 (TCP)
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
My guess is that you use different name for each interface, right? I'm afraid
that it can't work, FreeIPA doesn't support that.

Generally, setups like this do not work very well when Kerberos is in the mix.

You can try to add both IP addresses to A record for the multi-homed replica
but then you will depend on failover between those two IP addresses etc...
--
Petr^2 Spacek
Martin Kosek
2014-03-07 14:55:32 UTC
Permalink
Post by Petr Spacek
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2 NICs : the ipa
server is connected on the first interface and all the clients are connected on
the second interface. The two networks are completely separated, 2 subnets and
not routed.
I'm curious - what is the reasoning behind this? :-)
Post by a***@free.fr
I'am wondering if this kind of configuration is supported with IPA.
First, I prepared the replica on its first interface name (that which is on the
same network as the ipa server), install it with success. In this case the
ipa-client-install fails;
See below ==== errors ipacli1 ====
See my reply below :-)
Post by a***@free.fr
Second, I prepared the replica on its second interface name (that which is on
the same network as the ipa client). This case is worst I'm even not able to
install the replica. The installation fails with the following errors , see
below ==== errors iparpl2 ====
I'm not sure I understand what you did.
You have installed the replica on one machine and then you have tried to
install the replica again on the same machine? I guess I have misunderstood
something ...
Post by a***@free.fr
Thanks a lot for your help.
===================================== errors ipacli1
=====================================
Skip iparpl1.blue.mydomain: cannot verify if this is an IPA server
Failed to verify that iparpl1.blue.mydomain is an IPA Server.
2014-03-07T12:20:24Z DEBUG [LDAP server check]
2014-03-07T12:20:24Z DEBUG Verifying that iparpl1.blue.mydomain (realm None) is
an IPA server
2014-03-07T12:20:24Z DEBUG Init LDAP connection to: iparpl1.blue.mydomain
2014-03-07T12:20:29Z DEBUG wait_for_open_ports: iparpl1.blue.mydomain [389]
timeout 10
2014-03-07T12:20:34Z DEBUG Error checking LDAP: [Errno -2] Name or service not
known
The problem is that your client can't resolve name of the server.
Post by a***@free.fr
2014-03-07T12:20:34Z WARNING Skip iparpl1.blue.mydomain: cannot verify if this
is an IPA server
- check in iparpl1
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
OK
===================================== errors iparpl2
=====================================
- messages in screen or std output
KO normal because the master doesn't connect to replica in second interface
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Directory Service: Unsecure port (389): FAILED
Directory Service: Secure port (636): FAILED
Kerberos KDC: TCP (88): FAILED
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): FAILED
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): FAILED
HTTP Server: Secure port (443): FAILED
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Warning: Permanently added 'ipasrv.mydomain,110.0.0.2' (ECDSA) to the list of
known hosts.
Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP), 464
(TCP), 80 (TCP), 443 (TCP)
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
My guess is that you use different name for each interface, right? I'm afraid
that it can't work, FreeIPA doesn't support that.
Generally, setups like this do not work very well when Kerberos is in the mix.
You can try to add both IP addresses to A record for the multi-homed replica
but then you will depend on failover between those two IP addresses etc...
Posting a related RFE ticket, for reference:

[RFE] IPA install does not bind services to an particular IP/interface
https://fedorahosted.org/freeipa/ticket/3338

Martin
a***@free.fr
2014-03-07 15:29:14 UTC
Permalink
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2 NICs : the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2 subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this? :-)
The goal is to separate the administration flux and the userland flux.
Post by a***@free.fr
Post by a***@free.fr
I'am wondering if this kind of configuration is supported with IPA.
First, I prepared the replica on its first interface name (that which is on
the
Post by a***@free.fr
same network as the ipa server), install it with success. In this case the
ipa-client-install fails;
See below ==== errors ipacli1 ====
See my reply below :-)
Post by a***@free.fr
Second, I prepared the replica on its second interface name (that which is
on
Post by a***@free.fr
the same network as the ipa client). This case is worst I'm even not able
to
Post by a***@free.fr
install the replica. The installation fails with the following errors , see
below ==== errors iparpl2 ====
I'm not sure I understand what you did.
You have installed the replica on one machine and then you have tried to
install the replica again on the same machine? I guess I have misunderstood
something ...
No, to test it and show the difference between installation of my replica, I use
a 2nd one (iparpl2).
Post by a***@free.fr
Post by a***@free.fr
Thanks a lot for your help.
===================================== errors ipacli1
=====================================
Skip iparpl1.blue.mydomain: cannot verify if this is an IPA server
Failed to verify that iparpl1.blue.mydomain is an IPA Server.
2014-03-07T12:20:24Z DEBUG [LDAP server check]
2014-03-07T12:20:24Z DEBUG Verifying that iparpl1.blue.mydomain (realm
None) is
Post by a***@free.fr
an IPA server
2014-03-07T12:20:24Z DEBUG Init LDAP connection to: iparpl1.blue.mydomain
2014-03-07T12:20:29Z DEBUG wait_for_open_ports: iparpl1.blue.mydomain [389]
timeout 10
2014-03-07T12:20:34Z DEBUG Error checking LDAP: [Errno -2] Name or service
not
Post by a***@free.fr
known
The problem is that your client can't resolve name of the server.
I agree and it's showed below by ldapsearch command.
Post by a***@free.fr
Post by a***@free.fr
2014-03-07T12:20:34Z WARNING Skip iparpl1.blue.mydomain: cannot verify if
this
Post by a***@free.fr
is an IPA server
- check in iparpl1
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
ldap_start_tls: Connect error (-11)
additional info: TLS error -8157:Certificate extension not found.
OK
===================================== errors iparpl2
=====================================
- messages in screen or std output
KO normal because the master doesn't connect to replica in second interface
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Execute check on remote master
Directory Service: Unsecure port (389): FAILED
Directory Service: Secure port (636): FAILED
Kerberos KDC: TCP (88): FAILED
Kerberos KDC: UDP (88): WARNING
Kerberos Kpasswd: TCP (464): FAILED
Kerberos Kpasswd: UDP (464): WARNING
HTTP Server: Unsecure port (80): FAILED
HTTP Server: Secure port (443): FAILED
The following UDP ports could not be verified as open: 88, 464
This can happen if they are already bound to an application
and ipa-replica-conncheck cannot attach own UDP responder.
Warning: Permanently added 'ipasrv.mydomain,110.0.0.2' (ECDSA) to the list
of
Post by a***@free.fr
known hosts.
Port check failed! Inaccessible port(s): 389 (TCP), 636 (TCP), 88 (TCP),
464
Post by a***@free.fr
(TCP), 80 (TCP), 443 (TCP)
Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck
parameter.
My guess is that you use different name for each interface, right? I'm afraid
that it can't work, FreeIPA doesn't support that.
Right about using different name for each interface.
I would like to be sure that this architecture is not supported by FreeIPA.
Post by a***@free.fr
Generally, setups like this do not work very well when Kerberos is in the mix.
I think so !!!
Post by a***@free.fr
You can try to add both IP addresses to A record for the multi-homed replica
but then you will depend on failover between those two IP addresses etc...
You're right with round robin included in bind.
I can recompile bind packages without round robin but my goal is to be very
close to the standard distribution.
Post by a***@free.fr
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Dmitri Pal
2014-03-07 15:57:21 UTC
Permalink
Post by a***@free.fr
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2 NICs : the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2 subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy
that does some admin tasks via LDAP or executes remote administrative
commands.

I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would prevent you from enrolling new systems since the
ipa-client-install connects to IPA via admin interface during the
enrollment stage.

May be there is some magic that can be done using DNS zones but I am not
sure...
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Petr Spacek
2014-03-10 08:11:23 UTC
Permalink
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2 NICs
: the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2
subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy that does
some admin tasks via LDAP or executes remote administrative commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again would
prevent you from enrolling new systems since the ipa-client-install connects
to IPA via admin interface during the enrollment stage.
May be there is some magic that can be done using DNS zones but I am not sure...
Let me summarize this thread to:
Sorry, this is not supported.

It becomes extremely complex very quickly and we don't have manpower to
maintain support for this kind of scenarios.

Ideas and patches are welcome! :-)
--
Petr^2 Spacek
a***@free.fr
2014-03-10 15:16:05 UTC
Permalink
Post by Dmitri Pal
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2
NICs
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
: the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2
subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy that
does
Post by Dmitri Pal
some admin tasks via LDAP or executes remote administrative commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would
Post by Dmitri Pal
prevent you from enrolling new systems since the ipa-client-install
connects
Post by Dmitri Pal
to IPA via admin interface during the enrollment stage.
May be there is some magic that can be done using DNS zones but I am not
sure...
Sorry, this is not supported.
Thanks for your answer; It's clear for me now, I understand why my different
tests didn't work.

Just for my information because it's a little bit confusing when I read in the
FreeIPA_Guide (Fedora18) the following sentence:
19.5. Setting DNS Entries for Multi-Homed Servers
Some server machines may support multiple network interface cards (NICs).
Multi-homed machines typically have multiple IPs, all assigned to the same
hostname. This works fine in FreeIPA most of the time because it listens on all
available interfaces, except localhost. For a server to be available through any
NIC, edit the DNS zone file and add entries for each IP address. For example:
ipaserver IN A 192.168.1.100
ipaserver IN A 192.168.1.101
ipaserver IN A 192.168.1.102

What is the architecture of the Multi-Homed Servers in this case ?
Post by Dmitri Pal
It becomes extremely complex very quickly and we don't have manpower to
maintain support for this kind of scenarios.
I understand well.
Post by Dmitri Pal
Ideas and patches are welcome! :-)
I can try to think about it.
Best Regards.
Post by Dmitri Pal
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Dmitri Pal
2014-03-10 18:55:39 UTC
Permalink
Post by a***@free.fr
Post by Dmitri Pal
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2
NICs
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
: the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2
subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy that
does
Post by Dmitri Pal
some admin tasks via LDAP or executes remote administrative commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would
Post by Dmitri Pal
prevent you from enrolling new systems since the ipa-client-install
connects
Post by Dmitri Pal
to IPA via admin interface during the enrollment stage.
May be there is some magic that can be done using DNS zones but I am not
sure...
Sorry, this is not supported.
Thanks for your answer; It's clear for me now, I understand why my different
tests didn't work.
Just for my information because it's a little bit confusing when I read in the
19.5. Setting DNS Entries for Multi-Homed Servers
Some server machines may support multiple network interface cards (NICs).
Multi-homed machines typically have multiple IPs, all assigned to the same
hostname. This works fine in FreeIPA most of the time because it listens on all
available interfaces, except localhost. For a server to be available through any
ipaserver IN A 192.168.1.100
ipaserver IN A 192.168.1.101
ipaserver IN A 192.168.1.102
What is the architecture of the Multi-Homed Servers in this case ?
What do you mean "architecture" in this context?
Are you asking "what is the reason to have this host be multihomed"?
The main reason is because this is how for example EC2 (and similar)
works. One machine will have internal NIC seen by the systems inside EC2
and another seen by systems outside EC2.
To be able to work with clients inside and outside the cloud both NICs
needs to be listed.
Post by a***@free.fr
Post by Dmitri Pal
It becomes extremely complex very quickly and we don't have manpower to
maintain support for this kind of scenarios.
I understand well.
Post by Dmitri Pal
Ideas and patches are welcome! :-)
I can try to think about it.
Best Regards.
Post by Dmitri Pal
--
Petr^2 Spacek
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Petr Spacek
2014-03-11 08:48:43 UTC
Permalink
Post by Dmitri Pal
Post by a***@free.fr
Post by Dmitri Pal
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
Post by a***@free.fr
I want to install ipa server with a replica. The replica has 2
NICs
Post by Dmitri Pal
Post by a***@free.fr
Post by a***@free.fr
: the
ipa
Post by a***@free.fr
server is connected on the first interface and all the clients are
connected on
Post by a***@free.fr
the second interface. The two networks are completely separated, 2
subnets
and
Post by a***@free.fr
not routed.
I'm curious - what is the reasoning behind this?:-)
The goal is to separate the administration flux and the userland flux.
The problem is that it is not that clean.
One server can connect to another on different ports and using different
protocols for different purposes. And client can actually be a proxy that
does
Post by Dmitri Pal
some admin tasks via LDAP or executes remote administrative commands.
I think may be it is better to explore FW rules.
For example create a FW rule that would allow only Kerberos and LDAP
connections from a set of hosts that would be clients. Hm but that again
would
Post by Dmitri Pal
prevent you from enrolling new systems since the ipa-client-install
connects
Post by Dmitri Pal
to IPA via admin interface during the enrollment stage.
May be there is some magic that can be done using DNS zones but I am not
sure...
Sorry, this is not supported.
Thanks for your answer; It's clear for me now, I understand why my different
tests didn't work.
Just for my information because it's a little bit confusing when I read in the
19.5. Setting DNS Entries for Multi-Homed Servers
Some server machines may support multiple network interface cards (NICs).
Multi-homed machines typically have multiple IPs, all assigned to the same
hostname. This works fine in FreeIPA most of the time because it listens on all
available interfaces, except localhost. For a server to be available through any
ipaserver IN A 192.168.1.100
ipaserver IN A 192.168.1.101
ipaserver IN A 192.168.1.102
What is the architecture of the Multi-Homed Servers in this case ?
What do you mean "architecture" in this context?
The main difference between your setup and the example in docs is that you
tried to use two different names for one server but the documentation shows an
example where one name is associated with multiple IP addresses.

Multiple IP addresses for one name are supported as it is very basic
requirement for IPv4 & IPv6 dual-stack configuration support.

Problems arise when you have multiple names for the same server.

Petr^2 Spacek

Loading...