9:30 a.m.
Hello everyone
We want to move some of the systems for a co-location into AWS. IPA
systems are some of our candidate servers.
I have attempted to get this working by setting up a replica server in
the cloud and attempting to setup replication - over VPN - and its not
working. This is due to DNS issue on AWS being biased toward AWS DNS.
If I use nmap, it verify I can reach port 53 (TCP and UDP) on the
co-location from AWS, but if I do a dig against existing DNS, it
doesn't seem to resolve.
Have anyone gone through the exercise recently and managed to figure
how to work around this limitation? Would be grateful if someone can
share how the worked around this problem.
Regards,
William
10:11 a.m.
I run a 4-node IPA cluster on AWS spanning a few global regions and tied
into a particularly complex AD forest -- never had the DNS issues you
mention but I've never had to talk to IPA on-prem either. And our setup
is strange as we could never get the global AD admins to make DNS
entries for us among other issues so we ended up choosing a totally new
TLD domain name to run IPA on and bind our servers against; this works
fine except we can't leverage kerberos based features because our realm
is different from our domain. All we needed was RBAC login using AD
usernames and passwords though so our needs are met.
For DNS on AWS though ...
- You can override or alter DHCP level nameserver assignments at a
VPC-level if you want to adjust DHCP option sets. This is a big
decision as it is VPC-wide in scope but works well to push out "global"
DNS and nameserver preferences
- If VPC level changes are too much then it's pretty easy on an EC2
instance to override or alter DNS resolution, nameservers and search
order in ways that persist beyond reboot. Specific method depends OS you
are using and if you want to this on the CLI via ansible or manual
operations or if you want to do this at the cloud-init "just booting up"
level
I did have a nasty DNS issue in the past with an old school client that
believed all DNS should be served out of AD and that pre-creating
reverse PTR records was "nonsense" and "not needed" which broke a ton
of
AWS HPC and EMR use cases and other projects where software does a
reverse lookup on it's IP to learn more about its self. In that setting
we built our own custom DNS server based on DNSMasq -- DNSMasq is
perfect because you can construct a totally bespoke DNS environment
combining delegated nameservers, local name servers and you can even
have DNSMasq read DNS entries from an /etc/hosts style file so you don't
have to maintain a complex bind-format zone file
I don't know the exact scope of your situation but this seems like a
case for overriding the DNS settings on the EC2 hosts running IPA to
talk to your colo nameservers rather than the AWS designated ones that
show up via your DHCP Option Set
Chris
William Muriithi via FreeIPA-users wrote on 5/27/20 10:30 AM:
Hello everyone
We want to move some of the systems for a co-location into AWS. IPA
systems are some of our candidate servers.
I have attempted to get this working by setting up a replica server in
the cloud and attempting to setup replication - over VPN - and its not
working. This is due to DNS issue on AWS being biased toward AWS DNS.
If I use nmap, it verify I can reach port 53 (TCP and UDP) on the
co-location from AWS, but if I do a dig against existing DNS, it
doesn't seem to resolve.
Have anyone gone through the exercise recently and managed to figure
how to work around this limitation? Would be grateful if someone can
share how the worked around this problem.
Regards,
William
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
10:48 a.m.
Hello Chris,
I run a 4-node IPA cluster on AWS spanning a few global regions and
tied
into a particularly complex AD forest -- never had the DNS issues you
mention but I've never had to talk to IPA on-prem either.
Okay, may be I will have to investigate this.
And our setup is strange as we could never get the global AD admins
to make DNS
entries for us among other issues so we ended up choosing a totally new
TLD domain name to run IPA on and bind our servers against; this works
fine except we can't leverage kerberos based features because our realm
is different from our domain.
You can enrol IPA client through through Kerberos,
this correct?
- If VPC level changes are too much then it's pretty easy on an EC2
instance to override or alter DNS resolution, nameservers and search
order in ways that persist beyond reboot. Specific method depends OS you
are using and if you want to this on the CLI via ansible or manual
operations or if you want to do this at the cloud-init "just booting up"
I am dropping a file /etc/NetworkManager/conf.d/90-dns-none.conf using
ansible and then adding IPA server IP on /etc/resolve.conf
I don't know the exact scope of your situation but this seems like a
case for overriding the DNS settings on the EC2 hosts running IPA to
talk to your colo nameservers rather than the AWS designated ones that
show up via your DHCP Option Set
I wish its this, but I dont think so. If it was this, wouldn't doing
dig @192.168.30.8 neptune.external.example.com work at least? The
host 192.168.30.8 being in the office? How is your VPC? Do you have
public and private and NAT between? Or just a flat public? I went
with the later as I assumed IPA don't like working over NAT.
Thanks again for the feedback.
Regards,
William
12:28 p.m.
Replies inline ...
> And our setup is strange as we could never get the global AD
admins to make DNS
> entries for us among other issues so we ended up choosing a totally new
> TLD domain name to run IPA on and bind our servers against; this works
> fine except we can't leverage kerberos based features because our realm
> is different from our domain.
You can enrol IPA client through through Kerberos, this correct?
Yep! Our oddball IPA setup looks like this, due to a combination of
senior IT leadership being frightened of the cloud and global active
directory domain admins doing their usual global admin thing and
refusing to even take meetings with mortals. So we had to self-support
and only got a grudging 1-way trust set with the domain after escalating
to very high levels. It works though.
AD Domain (complex multi-child forest) == company-x.com with child
domains at nafta.company-x.com, apac.company-x.com etc. etc.
Our FreeIPA domain name is == company-x-ipa.com
So our REALM is COMPANY-X-IPA and that is where we bind our client
machines to when enrolling but we set the local domain name and hostname
to "company-x.com" when we enroll the host
This works well but from what I've been told we lose the ability to do
things like kerberized authentication for filessytem mounts etc. --
since all we really needed was RBAC managed SSH login with a small
smattering of custom sudo roles and a bunch of local SSH key storage it
works fine for us.
I wish its this, but I dont think so. If it was this, wouldn't
doing
dig @192.168.30.8 neptune.external.example.com work at least? The
host 192.168.30.8 being in the office? How is your VPC? Do you have
public and private and NAT between? Or just a flat public? I went
with the later as I assumed IPA don't like working over NAT.
Yeah most of this
DNS is on-premise; again because of a corporate desire
to use AD for DNS. We basically point all our nameservers at the on-prem
domain controllers and don't use FreeIPA for DNS records really much at
all (even the _SVR records that enable FreeIPA auto-discovery) -- but no
network, DNS query or technical issues at all with DNS being outside of
AWS -- works fine for us even DNS queries made on the IPA masters. For
rare cases where that did not work (HPC use cases) we did the DNSMasq
thing so we could inject custom reverse DNS responses while still
delegating other queries back to the domain controllers.
Our VPC is direct connected back to the corporate WAN; no NAT on the
private AWS subnets so it would be flat/private. Lots of security
controls and firewalls doing SSL intercept and decrypt at edges that
blocked
Thanks again for the feedback.
Regards,
William
10:37 a.m.
William,
Once I had to setup an IPA master and a few clients on AWS, and have issues
with its DNS, since the external name do not match the internal name,
hence, clients could not enroll (which I believe is similar to what you are
facing with replicas).
What I did, using Ansible (and ansible-freeipa), was to retrieve the server
name with `dig -x`, and using this name for the master FQDN.
I'm not sure it is the same issue you are having, but looks similar.
Rafael
On Wed, May 27, 2020 at 11:39 AM William Muriithi via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hello everyone
We want to move some of the systems for a co-location into AWS. IPA
systems are some of our candidate servers.
I have attempted to get this working by setting up a replica server in
the cloud and attempting to setup replication - over VPN - and its not
working. This is due to DNS issue on AWS being biased toward AWS DNS.
If I use nmap, it verify I can reach port 53 (TCP and UDP) on the
co-location from AWS, but if I do a dig against existing DNS, it
doesn't seem to resolve.
Have anyone gone through the exercise recently and managed to figure
how to work around this limitation? Would be grateful if someone can
share how the worked around this problem.
Regards,
William
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
11:36 a.m.
Hi Rafael,
Once I had to setup an IPA master and a few clients on AWS, and have issues with its DNS,
since the external name do not match the internal name, hence, clients could not enroll
(which I believe is similar to what you are facing with replicas).
What I did, using Ansible (and ansible-freeipa), was to retrieve the server name with
`dig -x`, and using this name for the master FQDN.
Possibly this is the case. I will try to create a fresh IPA as the
realm will change and will update the list on the result. Then figure
out how to migrate the data manually.
I'm not sure it is the same issue you are having, but looks
similar.
Something different. For example, I setup an IPA client, with the
server on the co-location - over VPN. The ipa-client enrol fine, and
I can even ssh in. Cool, 4 days later, no change, we can't
authenticate. When debugging, all looks like a DNS issue, but oddly,
it had worked a couple of day earlier. Was assuming AWS
infrastructure are hijacking DNS traffic as the rest - ssh using IP
address still works from AWS to co-location over VPN.
Thanks again Rafael.
William
1429
days inactive
1429
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Chris Dagdigian -
Rafael Jeffman -
William Muriithi