Hey John,
thanks again for a detailed information. I do understand this, but maybe
I am overthinking it. The current setup (non IPA) is:
company.com Domain name,
Using kerberos on
kerberos.company.com.
SRV & TXT Records all point to
kerberos.company.com.
All user prinicipals are
user@COMPANY.COM, all kerberized
services/keytabs have a principal of
host/vm4.company.com@COMPANY.COMWhat we are aiming for is: A User requests a TGT via
kinit
john@COMPANY.COM (ignoring default realms for a bit) and it would
receive a TGT from either IPA server issues to
john@COMPANY.COMServers are in the form
host/server.company.com@COMPANY.COMAlso, things that use ldap want dc=company,dc=com.
We will not be using any Windows / AD things. Only UNIX/Linux.
The Services are used in house as well as from around the world (public).
Thanks so much.
-Christian.
On 17/06/2019 13:44, John Keates via FreeIPA-users wrote:
What you are trying to do is possible but not recommended. If you make a
distinction between what you want your users to ’see’ and what your
domain technically should be you can probably resolve it.
For IPA, it’s important that the domain for the built in DNS server is
not used. That means: do not use a domain that is in use. Not for your
IPA domain and not for the kerberos realm.
So, say you have company.com <http://company.com> and that is in use and
you want to setup IPA. Since it’s in use, you’ll have to start on level
down on a subdomain.
That means (per your choice AFAIK) that you have to set it all to
auth.company.com <http://auth.company.com>, both the IPA domain and the
kerberos realm. The main zone, company.com <http://company.com> doesn’t
actually come into play here.
Afterwards, if you want to, you could make NS delegations to your IPA
server(s) from your main zone.
If you can’t make this work out, or if DNS is managed by multiple
teams/people, it might be much easier to simply register a second domain
just for IPA, remove all of its public zones and just use it inside IPA.
So if you have company.com <http://company.com> you could use something
like company.net <http://company.net> if that’s available. Could be
confusing for users, so maybe companyauth.com
<http://companyauth.com> or company-internal.com
<http://company-internal.com>.
The “domain” part in the server setup doesn’t mean anything regarding
what your users would type to access your web stuff, that can be proxied
and renamed as much as you like to anything else.
Something else: what is your goal? Is this IPA setup for internal use,
public use, end-users, admin-users, workstations, servers, web applications?
John
On 17 Jun 2019, at 11:49, Christian Reiss via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hey John,
Thanks for a speedy reply! Sure helped a lot understanding, tho a pity
that some clients simply require a "a/cname" and do not look up any srv,
like pfsense. And your reverse proxy idea is neat.
Just one issue, either technical or lack of understanding:
So I went ahead for the domain company.com <http://company.com>
(exmaple, using real IPs out
there):
auth.company.com <http://auth.company.com> IN NS 10.0.0.1
and created
srv1.auth.company.com <http://srv1.auth.company.com> (10.0.0.1)
srv2.auth.company.com <http://srv2.auth.company.com> (10.0.0.2)
During setup of srv1 I set:
The IPA Master Server will be configured with:
Hostname: srv1.auth.company.com <http://srv1.auth.company.com>
IP address(es): 10.0.0.1
Domain name: auth.company.com <http://auth.company.com>
Realm name: COMPANY.COOM
BIND DNS server will be configured to serve IPA domain with:
Forwarders: 10.0.0.1
Forward policy: first
Reverse zone(s): 0.0.10.in-addr.arpa.
WARNING: Realm name does not match the domain name.
You will not be able to establish trusts with Active Directory unless
the realm name of the IPA server matches its domain name.
So:
Server: srv1.auth.company.com <http://srv1.auth.company.com>
Domain: auth.company.com <http://auth.company.com>
K5 : COMPANY.COM <http://COMPANY.COM>
Replica adoption failed because auth.company.com
<http://auth.company.com> is not company.com <http://company.com>.
2nd try, this time:
Server: srv1.auth.company.com <http://srv1.auth.company.com>
Domain: company.com <http://company.com>
K5 : COMPANY.COM <http://COMPANY.COM>
Primary failed: ERROR DNS zone COMPANY.COM <http://COMPANY.COM>.
already exists in DNS and
is handled by server(s): ns1.ns-serve.net <http://ns1.ns-serve.net>.,
ns2.ns-serve.net <http://ns2.ns-serve.net>.
What would be the right approach here?
Thanks again!
-Chris.
On 17/06/2019 10:10, John Keates via FreeIPA-users wrote:
A HA-aware client would use SRV records to locate the server(s) and
then connect every returned instance until a working server is found.
And by using locations you can scope the servers you get back.
Regarding the single URL: while there are many options, we decided to
simply register all servers in a load balancer and when you access
the URL provided by the loadbalancer you simply get redirected to any
working server.
Some people prefer no URL redirects and try to solve it using stick
tables and the likes, but to us that seems like a dirty solution so
we ditched it after a PoC phase. It works but we don’t want it ;-)
If you have a special use case, a separate web app that talks to IPA
can be better, that is what we did for non-tech accounts; a simple
self-service app that allows you to change your own password and
manage MFA.
For everything else (i.e. SSO, SAML etc.) we often use something else
that talks to IPA, like Keycloak, because the IPA WebUI itself is
really not going to give a user any useful functionality; it’s more
of an operator and admin thing.
John
On 17 Jun 2019, at 10:02, Christian Reiss via FreeIPA-users
<freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hey folks,
I just recently began planning the deployment of FreeIPA and have
successfully made several test setups. Next step would be to integrate
this in our new datacenter; so we are starting there from scratch.
I understand HA on the server side. What boogles my head is HA on the
*client* side.
For example: Our pfsenses use a LDAP lookup against a single FQDN, and
the cert must be valid (against any provided CA). Exporting the CA from
freeIPA and importing that in pfsense is a cake.
But what do I point the clients towards? Let's say I have 4 FreeIPA
servers:
- ipa01.auth.dc-01.company.com <http://ipa01.auth.dc-01.company.com>
- ipa02.auth.dc-01.company.com <http://ipa02.auth.dc-01.company.com>
- ipa03.auth.dc-01.company.com <http://ipa03.auth.dc-01.company.com>
- ipa04.auth.dc-01.company.com <http://ipa04.auth.dc-01.company.com>
Realm company.com <http://company.com>, Kerberos COMPANY.COM
<http://COMPANY.COM>. If I point the pfsense (I'll
stick to that as an example) against ipa01.auth.dc-01.company.com
<http://ipa01.auth.dc-01.company.com> and
this server is offline, then no HA is given. DNS Delegation might yield
*any* of the four servers, including the one offline, so a 25% fault
chance in there.
Second question, same area: If I want my users to have one single url
for the FreeIPA webservice, like auth.company.com
<http://auth.company.com> that follows the above
solution then the self-signed and generated certs do not have this as
altname.
So summed up:
- How can I make (ldap) clients access the current online server(s)?
- How can I provide access to the webinterace to the current online
server(s)?
(Or is this simply by the magic of dns zone delegation and pure faith
that always an online server will be hit?)
Thanks for any advice!
-Christian.
--
Christian Reiss - email@christian-reiss.de
<mailto:email@christian-reiss.de> /"\ ASCII Ribbon
support@alpha-labs.net
<mailto:support@alpha-labs.net> \ / Campaign
X against HTML
WEB alpha-labs.net <http://alpha-labs.net>
/ \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
Christian Reiss - email@christian-reiss.de
<mailto:email@christian-reiss.de> /"\ ASCII Ribbon
support@alpha-labs.net
<mailto:support@alpha-labs.net> \ / Campaign
X against HTML
WEB alpha-labs.net <http://alpha-labs.net>
/ \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
Christian Reiss -
email@christian-reiss.de /"\ ASCII Ribbon
support@alpha-labs.net \ / Campaign
X against HTML
WEB
alpha-labs.net / \ in eMails
GPG Retrieval
https://gpg.christian-reiss.de GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.orgTo unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.orgFedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org