Easiest way without trying to fight the system is probably to get the remote site access to the local network via a VPN.

On 8/1/19 12:38 pm, William Muriithi via FreeIPA-users wrote:

I have an IPA clients that has both IPv4 and IPv6 addresses.  One of the IPA client is in the office and hence can reach the IPA server on both IPv4 and IPv6. However, the client outside the LAN can only reach the IPA server over IPv6.

I was able to enroll the external client fine over IPv6 and from the logs, all clean.  However, when I attempted to ssh, its not able to retreave the user from IPA.  The client in the office works fine.  I can also make for example LDAP queries and they work over IPv6 fine. It looks like kerberos is somehow however using IPv4.  I reached this conclusion after taking a tcpdump when attempting to ssh to the server and the kerberos traffic from the client to IPA is on IPv4.

What would I need to do on the IPA client for it to prefer IPv6?  I am aware I could remove IPv4 address from DNS, but that would break any communication from IPv4 only systems.  Any assistance would be appreaciated.

[william@ansible ~]$ ssh root@mars.external.example.com
Last login: Mon Jan  7 17:19:49 2019 from
[root@mars ~]# kinit admin
kinit: Cannot contact any KDC for realm 'EXTERNAL.EXAMPLE.COM' while getting initial credentials
[root@mars ~]# ldapsearch -x -b cn=ftp,cn=groups,cn=compat,dc=external,dc=example,dc=com | tail -n 4
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@mars ~]# cat /etc/resolv.conf
search external.example.com
nameserver 2607:4860:6000:a::5
[root@mars ~]#


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org