On Tue, Jul 30, 2019 at 3:28 PM Dmitry Perets via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
The progress so far...
>
> 1. We create two A records for the same IPA hostname, let's say
> "ipa.site1.example.com". But then not sure if it will work fine...
Technically,
> two IPs for the same name means load-balancing, right? So will I have intermittent
> connectivity issues, because it will return inside and outside IP interchangebly?
>
Bad idea... Indeed, clients get load-balanced responses with the two IPA IPs, and hence,
half of the time they can't communicate with it...
> 2. We create a new DNS name, e.g. "ipa-outside-site1.example.com", for
the
> outside IP, and manually add it to the @ entry of "example.com", so that
> wannabe-replica on the remote site can use that FQDN as its master IPA. Will this
work
> fine..? Will it not cause issues to the local clients on site1, who must keep using
IPA
> with inside IP? Will it not cause issues on IPA server itself for some reason?
OK, so with this one I managed to get a bit further... I am now just trying to enroll
remote host with the IPA server over the "outside" interface (once I am good
with this, I could try promoting it to replica...)
So, I created a new DNS zone for the remote site (
site2.example.com). I created there SRV
entries for "_kerberos._udp" and "_ldap._tcp", pointing to the outside
DNS name of my IPA server: "ipa-outside-site1.example.com). Then I set the nameserver
to this outside IP and run "ipa-client-install".
Since it looks for the above SRV records first, discovery is successful. So I can
continue with client installation.
You do not need to add SRV records, this is difficult to manage in the long run.
ipa-client-install(1) covers this scenario with the --domain=DOMAIN parameter.
See also
https://bugzilla.redhat.com/show_bug.cgi?id=1385515#c14 for a
detailed explanation.
> Next problem was: ipa-client-install failed to authenticate to site1 IPA over LDAP,
because it was trying to access it using
ldap://ipa-outside-site1.example.com (and not via
ldap://ipa.site1.example.com). I solved it by adding principal alias to the
ldap/ipa.site1.example.com service.
>
> Next problem was: libcurl was complaing about mismatch between certificate subject
and the URL. Again, that's because it was browsing to
ipa-outside-site1.example.com,
but IPA cert has "ipa.site1.example.com" in subject. OK, so I fixed it by adding
principal alias to http/ipa.site1.example.com and then reissuing certificate for IPA HTTP,
adding a new DNS name to subjectAltName. This solved the warning.
>
> But then my next problem was (and is):
>
> RPC failed at server. Missing or invalid HTTP Referer,
https://ipa-outside-site1.example.com/ipa/xml
>
> I understand why - because ipa-client-install puts the above referer, but IPA server
expects only
https://ipa.site1.example.com...
> How can I solve this? How can I add another "alias referer" to be
accepted..?
>
> Basically, I need to convince all the components of the IPA server that they have two
perfectly valid DNS names, with different IPs...
>
> ---
> Regards,
> Dmitry Perets
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...