Hi all,
I have ran into a bit of a surprise (for me anyway). After adding a second NIC to my FreeIPA server in order to provide IPA services for the same realm to a second network, I am unable to join clients to it and am getting the following error:
2020-01-29T19:15:55Z DEBUG stderr=
2020-01-29T19:15:55Z DEBUG trying to retrieve CA cert via LDAP from freeipa.cluster
2020-01-29T19:15:55Z DEBUG get_ca_certs_from_ldap() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/CLUSTER@<original domain> not found in Kerberos database)
2020-01-29T19:15:55Z DEBUG Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/CLUSTER@<original domain> not found in Kerberos database)
After doing quite a bit of Googling it appears that multi-homed IPA servers are not currently supported?
I decided to try something and added the FQDN for the FreeIPA server to the client's /etc/hosts file, and pointed the FQDN to the secondary IP of the server, and that appears to have worked properly. The client install completed without any error via the second network.
Is this the bandaid approach that is currently the best method of doing this? Is there a better way?
Thanks for the insight!