Hi guys,
It's my first time attending the Fedora mailing list if someone can help me I appreciate
I've decided to ask here because I couldn't find any answer in the docs or googling.
I'd like to deploy the Feeipa with the following scenario:
domains: site1.prod.int.mydomain.com site2.prod.int.mydomain.com
Each site with 2 servers and set up a replication agreement between them and the datacenters.
EX: ipa01.site1.prod.int.mydomain.com <--> ipa01.site2.prod.int.mydomain.com | | ipa02.site1.prod.int.mydomain.com <--> ipa02.site2.prod.int.mydomain.com
But all clients authenticating in only one Kerberos domain INT.MYDOMAIN.COM
I've tried deploying that way and I come across with two issues:
- The first server deployment works fine, but the client installation fails because it couldn't find the KDC (autodiscovery works fine).
After some searching, I found out that it's because the way Kerberos autodiscovery works ( it look up the DNS using _kerberos.REALM.). Passing the arguments --server and --domain the installation works fine.
- A different site client enrollment works, but the replica promotion fails with "IPA different domain"
server - ipa01.site1.prod.int.mydomain.com replica - ipa01.site2.prod.int.mydomain.com
I found out it's because of that patch. https://www.redhat.com/archives/freeipa-devel/2016-June/msg00620.html
That being said, how can I deploy the Freeipa with a multi-site scenario?
And if it isn't possible that way, What's the recommended way to do it?
Regards
Hi
We run a similar setup (multiple sites, different dns domain per site, 2 IPA servers per site) without the issues you mention, we're not using DNS discovery however that shouldn't make a huge difference.
Are you passing --realm=blah to the ipa-client-install command? That and other options will help for sure.
Regards Angus
________________________________ From: Willie Cadete de Lima via FreeIPA-users freeipa-users@lists.fedorahosted.org Sent: 03 June 2020 14:58 To: freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org Cc: Willie Cadete de Lima williecadete@gmail.com Subject: [Freeipa-users] Planing multi-site deployment
Hi guys,
It's my first time attending the Fedora mailing list if someone can help me I appreciate
I've decided to ask here because I couldn't find any answer in the docs or googling.
I'd like to deploy the Feeipa with the following scenario:
domains: site1.prod.int.mydomain.com site2.prod.int.mydomain.com
Each site with 2 servers and set up a replication agreement between them and the datacenters.
EX: ipa01.site1.prod.int.mydomain.com <--> ipa01.site2.prod.int.mydomain.com | | ipa02.site1.prod.int.mydomain.com <--> ipa02.site2.prod.int.mydomain.com
But all clients authenticating in only one Kerberos domain INT.MYDOMAIN.COM
I've tried deploying that way and I come across with two issues:
- The first server deployment works fine, but the client installation fails because it couldn't find the KDC (autodiscovery works fine).
After some searching, I found out that it's because the way Kerberos autodiscovery works ( it look up the DNS using _kerberos.REALM.). Passing the arguments --server and --domain the installation works fine.
- A different site client enrollment works, but the replica promotion fails with "IPA different domain"
server - ipa01.site1.prod.int.mydomain.com replica - ipa01.site2.prod.int.mydomain.com
I found out it's because of that patch. https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.redhat...
That being said, how can I deploy the Freeipa with a multi-site scenario?
And if it isn't possible that way, What's the recommended way to do it?
Regards
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
On ke, 03 kesä 2020, Willie Cadete de Lima via FreeIPA-users wrote:
Hi guys,
It's my first time attending the Fedora mailing list if someone can help me I appreciate
I've decided to ask here because I couldn't find any answer in the docs or googling.
I'd like to deploy the Feeipa with the following scenario:
domains: site1.prod.int.mydomain.com site2.prod.int.mydomain.com
Each site with 2 servers and set up a replication agreement between them and the datacenters.
EX: ipa01.site1.prod.int.mydomain.com <--> ipa01.site2.prod.int.mydomain.com | | ipa02.site1.prod.int.mydomain.com <--> ipa02.site2.prod.int.mydomain.com
But all clients authenticating in only one Kerberos domain INT.MYDOMAIN.COM
I've tried deploying that way and I come across with two issues:
- The first server deployment works fine, but the client installation fails because it couldn't find the KDC (autodiscovery works fine).
After some searching, I found out that it's because the way Kerberos autodiscovery works ( it look up the DNS using _kerberos.REALM.). Passing the arguments --server and --domain the installation works fine.
- A different site client enrollment works, but the replica promotion fails with "IPA different domain"
server - ipa01.site1.prod.int.mydomain.com replica - ipa01.site2.prod.int.mydomain.com
I found out it's because of that patch. https://www.redhat.com/archives/freeipa-devel/2016-June/msg00620.html
That being said, how can I deploy the Freeipa with a multi-site scenario?
And if it isn't possible that way, What's the recommended way to do it?
You are not using FreeIPA in intended way. Please read https://www.redhat.com/archives/freeipa-users/2016-December/msg00220.html for starters.
Your '--domain ...' value must the the same as your Kerberos realm. It doesn't matter where your IPA servers will be placed in the end, it all starts with your Kerberos realm which maps onto your primary DNS domain.
If MYDOMAIN.COM is your Kerberos realm, then you must own DNS domain mydomain.com. This DNS domain should be served by something -- it could be IPA itself, doesn't matter -- what matters is that it exists.
You can start by creating an IPA master in .mydomain.com DNS zone. You then can add DNS zones for .int.mydomain.com, .prod.int.mydomain.com, .site1.prod.int.mydomain, .site2.prod.int.mydomain and so on. Then you can enroll and create replicas ipa01.site1..., ipa01.site2..., etc.
At all steps, these sections from ipa-client-install(1) man page stand:
BASIC OPTIONS --domain=DOMAIN The primary DNS domain of an existing IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. Usually the name is a lower-cased name of an IPA Kerberos realm name.
When no --server option is specified, this domain will be used by the installer to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
The default value used by the installer is the domain part of the hostname. This option needs to be specified if the primary IPA DNS domain is different from the default value.
and
DNS Autodiscovery Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine.
When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with --domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers.
Client machine can also be configured without a DNS autodiscovery at all. When both --server and --domain options are used, client installer will use the specified server and domain directly. --server option accepts multiple server host‐ names which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When --fixed-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for details).
So your enrollment should never use --domain to pass the DNS subdomain of your replica-to-be because that is not what --domain is asking you for. It asks about your primary DNS domain.
Thank you for replying.
Now I understand that concept, It worked for me.
freeipa-users@lists.fedorahosted.org