On ke, 03 kesä 2020, Willie Cadete de Lima via FreeIPA-users wrote:
Hi guys,
It's my first time attending the Fedora mailing list if someone can help me I
appreciate
I've decided to ask here because I couldn't find any answer in the docs or
googling.
I'd like to deploy the Feeipa with the following scenario:
domains:
site1.prod.int.mydomain.com
site2.prod.int.mydomain.com
Each site with 2 servers and set up a replication agreement between them and the
datacenters.
EX:
ipa01.site1.prod.int.mydomain.com <-->
ipa01.site2.prod.int.mydomain.com
| |
ipa02.site1.prod.int.mydomain.com <-->
ipa02.site2.prod.int.mydomain.com
But all clients authenticating in only one Kerberos domain
INT.MYDOMAIN.COM
I've tried deploying that way and I come across with two issues:
- The first server deployment works fine, but the client installation fails because it
couldn't find the KDC (autodiscovery works fine).
After some searching, I found out that it's because the way Kerberos
autodiscovery works ( it look up the DNS using _kerberos.REALM.).
Passing the arguments --server and --domain the installation works
fine.
- A different site client enrollment works, but the replica promotion fails with "IPA
different domain"
server -
ipa01.site1.prod.int.mydomain.com
replica -
ipa01.site2.prod.int.mydomain.com
I found out it's because of that patch.
https://www.redhat.com/archives/freeipa-devel/2016-June/msg00620.html
That being said, how can I deploy the Freeipa with a multi-site scenario?
And if it isn't possible that way, What's the recommended way to do it?
You are not using FreeIPA in intended way. Please read
https://www.redhat.com/archives/freeipa-users/2016-December/msg00220.html
for starters.
Your '--domain ...' value must the the same as your Kerberos realm. It
doesn't matter where your IPA servers will be placed in the end, it all
starts with your Kerberos realm which maps onto your primary DNS domain.
If
MYDOMAIN.COM is your Kerberos realm, then you must own DNS domain
mydomain.com. This DNS domain should be served by something -- it could
be IPA itself, doesn't matter -- what matters is that it exists.
You can start by creating an IPA master in .mydomain.com DNS zone. You
then can add DNS zones for .int.mydomain.com, .prod.int.mydomain.com,
.site1.prod.int.mydomain, .site2.prod.int.mydomain and so on. Then you
can enroll and create replicas ipa01.site1..., ipa01.site2..., etc.
At all steps, these sections from ipa-client-install(1) man page stand:
BASIC OPTIONS
--domain=DOMAIN
The primary DNS domain of an existing IPA deployment, e.g.
example.com. This DNS domain should contain the SRV
records generated by the IPA server installer. Usually the
name is a lower-cased name of an IPA Kerberos realm name.
When no --server option is specified, this domain will be
used by the installer to discover all available servers
via DNS SRV record autodiscovery (see DNS Autodiscovery
section for details).
The default value used by the installer is the domain part
of the hostname. This option needs to be specified if the
primary IPA DNS domain is different from the default
value.
and
DNS Autodiscovery
Client installer by default tries to search for _ldap._tcp.DOMAIN
DNS SRV records for all domains that are parent to its hostname.
For example, if a client machine has a hostname
'client1.lab.example.com', the installer will try to retrieve an
IPA server hostname from
_ldap._tcp.lab.example.com,
_ldap._tcp.example.com and
_ldap._tcp.com DNS SRV records,
respectively. The discovered domain is then used to configure
client components (e.g. SSSD and Kerberos 5 configuration) on
the machine.
When the client machine hostname is not in a subdomain of an IPA
server, its domain can be passed with --domain option. In that
case, both SSSD and Kerberos components have the domain set in
the configuration files and will use it to autodiscover
IPA servers.
Client machine can also be configured without a DNS
autodiscovery at all. When both --server and --domain options are
used, client installer will use the specified server and domain
directly. --server option accepts multiple server host‐ names
which can be used for failover mechanism. Without DNS
autodiscovery, Kerberos is configured with a fixed list of KDC
and Admin servers. SSSD is still configured to either try to
read domain's SRV records or the specified fixed list
of servers. When --fixed-primary option is specified, SSSD will
not try to read DNS SRV record at all (see sssd-ipa(5) for
details).
So your enrollment should never use --domain to pass the DNS subdomain
of your replica-to-be because that is not what --domain is asking you
for. It asks about your primary DNS domain.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland