Hi Alexander,
Posting here, as it might be useful to others.
I've got a suggestion via Red Hat support ticket that looks promising...
So, earlier I tried to configure all IPA servers to resolve to internal IP and then add
external IP to their /etc/hosts when creating replica. And that failed badly, because
replica install relies on DNS heavily and does all forward/reverse lookups...
But now I was asked to do the other way around: resolve IPA servers to external IPs, but
add their internal IP to /etc/hosts on all internal clients.
And so far it seems to do the job actually... ipa-client-install is fine with that. I did
have an issue to reach KDC, but I solved it by adding to /etc/hosts not only the IPA FQDN,
but also the FQDN ending with dot (.) - because that's what _kerberos.* entries return
to the client.
So, as long as none of the internal clients needs to become a replica (and it's indeed
so in our case), this solution might actually work.
Of course, it's not ideal to add entries to /etc/hosts like this, but we can add it to
our automated deployment, so we can live with that.
Any issues that you predict with this solution...?
---
Regards,
Dmitry Perets