Hello,
I have an IPA clients that has both IPv4 and IPv6 addresses. One of the IPA client is in the office and hence can reach the IPA server on both IPv4 and IPv6. However, the client outside the LAN can only reach the IPA server over IPv6.
I was able to enroll the external client fine over IPv6 and from the logs, all clean. However, when I attempted to ssh, its not able to retreave the user from IPA. The client in the office works fine. I can also make for example LDAP queries and they work over IPv6 fine. It looks like kerberos is somehow however using IPv4. I reached this conclusion after taking a tcpdump when attempting to ssh to the server and the kerberos traffic from the client to IPA is on IPv4.
What would I need to do on the IPA client for it to prefer IPv6? I am aware I could remove IPv4 address from DNS, but that would break any communication from IPv4 only systems. Any assistance would be appreaciated.
[william@ansible ~]$ ssh root@mars.external.example.com Last login: Mon Jan 7 17:19:49 2019 from 65.98.193.94 [root@mars ~]# kinit admin kinit: Cannot contact any KDC for realm 'EXTERNAL.EXAMPLE.COM http://external.example.com/' while getting initial credentials [root@mars ~]# ldapsearch -x -b cn=ftp,cn=groups,cn=compat,dc=external,dc=example,dc=com | tail -n 4 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@mars ~]# cat /etc/resolv.conf search external.example.com nameserver 2607:4860:6000:a::5 [root@mars ~]#
Regards, William
Easiest way without trying to fight the system is probably to get the remote site access to the local network via a VPN.
On 8/1/19 12:38 pm, William Muriithi via FreeIPA-users wrote:
Hello,
I have an IPA clients that has both IPv4 and IPv6 addresses. One of the IPA client is in the office and hence can reach the IPA server on both IPv4 and IPv6. However, the client outside the LAN can only reach the IPA server over IPv6.
I was able to enroll the external client fine over IPv6 and from the logs, all clean. However, when I attempted to ssh, its not able to retreave the user from IPA. The client in the office works fine. I can also make for example LDAP queries and they work over IPv6 fine. It looks like kerberos is somehow however using IPv4. I reached this conclusion after taking a tcpdump when attempting to ssh to the server and the kerberos traffic from the client to IPA is on IPv4.
What would I need to do on the IPA client for it to prefer IPv6? I am aware I could remove IPv4 address from DNS, but that would break any communication from IPv4 only systems. Any assistance would be appreaciated.
[william@ansible ~]$ ssh root@mars.external.example.com mailto:root@mars.external.example.com Last login: Mon Jan 7 17:19:49 2019 from 65.98.193.94 [root@mars ~]# kinit admin kinit: Cannot contact any KDC for realm 'EXTERNAL.EXAMPLE.COM http://external.example.com/' while getting initial credentials [root@mars ~]# ldapsearch -x -b cn=ftp,cn=groups,cn=compat,dc=external,dc=example,dc=com | tail -n 4 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@mars ~]# cat /etc/resolv.conf search external.example.com http://external.example.com/ nameserver 2607:4860:6000:a::5 [root@mars ~]#
Regards, William
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ma, 07 tammi 2019, William Muriithi via FreeIPA-users wrote:
Hello,
I have an IPA clients that has both IPv4 and IPv6 addresses. One of the IPA client is in the office and hence can reach the IPA server on both IPv4 and IPv6. However, the client outside the LAN can only reach the IPA server over IPv6.
I was able to enroll the external client fine over IPv6 and from the logs, all clean. However, when I attempted to ssh, its not able to retreave the user from IPA. The client in the office works fine. I can also make for example LDAP queries and they work over IPv6 fine. It looks like kerberos is somehow however using IPv4. I reached this conclusion after taking a tcpdump when attempting to ssh to the server and the kerberos traffic from the client to IPA is on IPv4.
What would I need to do on the IPA client for it to prefer IPv6? I am aware I could remove IPv4 address from DNS, but that would break any communication from IPv4 only systems. Any assistance would be appreaciated.
Check that SSSD-generated kdcinfo has IPv6 only addresses in /var/lib/sss/pubconf/. If not, you need to set
lookup_family_order = ipv6_only
in the domain section in sssd.conf (it defaults to ipv4_first) and restart sssd.
SSSD ensures that KDC discovery in libkrb5 is consistent with SSSD settings through a KDC locator plugin. SSSD KDC locator plugin uses common name resolution settings from SSSD.
See man page sssd.conf for details.
Hi Alexander,
What would I need to do on the IPA client for it to prefer IPv6? I am aware I could remove IPv4 address from DNS, but that would break any communication from IPv4 only systems. Any assistance would be
appreaciated. Check that SSSD-generated kdcinfo has IPv6 only addresses in /var/lib/sss/pubconf/. If not, you need to set
lookup_family_order = ipv6_only
in the domain section in sssd.conf (it defaults to ipv4_first) and restart sssd.
Thank you a lot. This suggestion did the trick and now working nicely.
Regards, William
sssd.conf doesn't get created until after ipa-client-install has run.
Is there any issue if 'lookup_family_order = ipv6_only' is added to sssd.conf only after running ipa-client-install?
PS. Another workaround, depending on your situation, is to add the IPA server/s to /etc/hosts for the duration of the install.
It would be nice if there was a way to say ipv6_only on the command line while running ipa-client-install.
Ben Aveling via FreeIPA-users wrote:
PS. Another workaround, depending on your situation, is to add the IPA server/s to /etc/hosts for the duration of the install.
It would be nice if there was a way to say ipv6_only on the command line while running ipa-client-install.
Feel free to open an RFE at https://pagure.io/freeipa/new_issue
I think we'd probably want to avoid yet another command-line option since it is already quite bloated. Do you know if there is a way to detect this automatically?
rob
There was some discussion here: https://pagure.io/SSSD/sssd/issue/2015
Conclusion seems to be that it's hard to automate because a mixed network (IPv4 and IPv6) doesn't give any good way to automatically choose between the different options.
Another way to approach might be to use /etc/sssd/sssd.conf
At the moment, ipa-client-install ignores/removes any existing /etc/sssd/sssd.conf.
If there was an option to keep an existing sssd.conf (or that were simply the default), then installer could add ipv6_only or ipv6_first themselves.
It would also allow for setting other options, so long as those options aren't anything that ipa-client-install wants to override (or maybe even then?).
Ben Aveling via FreeIPA-users wrote:
There was some discussion here: https://pagure.io/SSSD/sssd/issue/2015
Conclusion seems to be that it's hard to automate because a mixed network (IPv4 and IPv6) doesn't give any good way to automatically choose between the different options.
Another way to approach might be to use /etc/sssd/sssd.conf
At the moment, ipa-client-install ignores/removes any existing /etc/sssd/sssd.conf.
If there was an option to keep an existing sssd.conf (or that were simply the default), then installer could add ipv6_only or ipv6_first themselves.
It would also allow for setting other options, so long as those options aren't anything that ipa-client-install wants to override (or maybe even then?).
As long as the original sssd.conf is parseable IPA should only add the new domain to it. It only creates a new one if it doesn't exist or it cannot be parsed by SSSDConfig.import_config()
I think this doesn't work because IPA doesn't preserve an existing domain entry since the point is to enroll a new domain.
rob
That makes sense. The only entries in my test sssd.conf were the new domain, so yes, in effect, the whole file was ignored/removed.
Suggesting it might have worked if I'd added ipv6_only somewhere else?
Regards, Ben
Ben Aveling wrote:
That makes sense. The only entries in my test sssd.conf were the new domain, so yes, in effect, the whole file was ignored/removed.
Suggesting it might have worked if I'd added ipv6_only somewhere else?
Unfortunately according to sssd.conf(5) lookup_family_order is only available in the domain section.
I think the most generic new cli option in ipa-client-install would load the existing domain and merely update it rather than creating a new one so this, or other configuration would be allowed. It also puts the onus on the end user to ensure to avoid conflicting configuration, etc.
rob
freeipa-users@lists.fedorahosted.org