Hi
We run a similar setup (multiple sites, different dns domain per site, 2 IPA servers per
site) without the issues you mention, we're not using DNS discovery however that
shouldn't make a huge difference.
Are you passing --realm=blah to the ipa-client-install command? That and other options
will help for sure.
Regards
Angus
________________________________
From: Willie Cadete de Lima via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
Sent: 03 June 2020 14:58
To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org>
Cc: Willie Cadete de Lima <williecadete(a)gmail.com>
Subject: [Freeipa-users] Planing multi-site deployment
Hi guys,
It's my first time attending the Fedora mailing list if someone can help me I
appreciate
I've decided to ask here because I couldn't find any answer in the docs or
googling.
I'd like to deploy the Feeipa with the following scenario:
domains:
site1.prod.int.mydomain.com
site2.prod.int.mydomain.com
Each site with 2 servers and set up a replication agreement between them and the
datacenters.
EX:
ipa01.site1.prod.int.mydomain.com <-->
ipa01.site2.prod.int.mydomain.com
| |
ipa02.site1.prod.int.mydomain.com <-->
ipa02.site2.prod.int.mydomain.com
But all clients authenticating in only one Kerberos domain
INT.MYDOMAIN.COM
I've tried deploying that way and I come across with two issues:
- The first server deployment works fine, but the client installation fails because it
couldn't find the KDC (autodiscovery works fine).
After some searching, I found out that it's because the way Kerberos autodiscovery
works ( it look up the DNS using _kerberos.REALM.). Passing the arguments --server and
--domain the installation works fine.
- A different site client enrollment works, but the replica promotion fails with "IPA
different domain"
server -
ipa01.site1.prod.int.mydomain.com
replica -
ipa01.site2.prod.int.mydomain.com
I found out it's because of that patch.
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.red...
That being said, how can I deploy the Freeipa with a multi-site scenario?
And if it isn't possible that way, What's the recommended way to do it?
Regards
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines:
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives:
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...