William,

Once I had to setup an IPA master and a few clients on AWS, and have issues with its DNS, since the external name do not match the internal name, hence, clients could not enroll (which I believe is similar to what you are facing with replicas).

What I did, using Ansible (and ansible-freeipa), was to retrieve the server name with `dig -x`, and using this name for the master FQDN.

I'm not sure it is the same issue you are having, but looks similar.

Rafael

On Wed, May 27, 2020 at 11:39 AM William Muriithi via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hello everyone

We want to move some of the systems for a co-location into AWS.  IPA
systems are some of  our candidate  servers.

I have attempted to get this working by setting up a replica server in
the cloud and attempting to setup replication - over VPN - and its not
working.  This is due to DNS issue on AWS being biased toward AWS DNS.
If I use nmap, it verify I can reach port 53 (TCP and UDP) on the
co-location from AWS, but if I do a dig against existing DNS, it
doesn't seem to resolve.

Have anyone gone through the exercise recently and managed to figure
how to work around this limitation?  Would be grateful if someone can
share how the worked around this problem.

Regards,
William
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


--
Rafael Guterres Jeffman
Senior Software Engineer 
FreeIPA - Red Hat