Hello All,
I have two FreeIPA servers running in AWS—one primary and one replica—with the DNS entry ipa.testing.com. These servers are running an older version of FreeIPA on CentOS 7 with expired certificates. I inherited this setup from a previous admin.
Since the certificates have expired, I attempted multiple renewal methods, including rolling back the system time, but nothing worked. As a solution, I set up a new FreeIPA primary server with the same DNS entry ( ipa.testing.com) and added it to the AWS DHCP configuration alongside the old servers. Steps Taken:
1.
Added the new FreeIPA server to the /etc/hosts 123.234.543 test.ipa.testing.com test 2.
Installed FreeIPA using the following command:- ipa-server-install --setup-dns --allow-zone-overlap 3.
The installation completed successfully. I can log into the UI, create users, and manage configurations without issues.
The Problem:
When installing a FreeIPA client, it does not auto-discover the new FreeIPA server unless I explicitly specify it in the command:
ipa-client-install --hostname=$(hostname -f) --mkhomedir --server=newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=IPA.TESTING.COM
Without the --server parameter, auto-discovery fails.
Additionally, after successfully enrolling two clients (client-a and client-b), I am unable to resolve their hostnames between them. When I attempt to ping client-a from client-b, I receive:
Name or service not known
What am I missing?
-
Why isn’t the client auto-discovering the new FreeIPA server? -
Why can’t the clients resolve each other’s hostnames after enrollment? -
Is there anything I need to adjust in DNS or DHCP to ensure proper resolution and discovery?
Any help would be greatly appreciated! Thanks in advance.
Hi,
do your clients use the new IPA server as DNS server? This can be done prior to calling ipa-client-install. flo
On Fri, Feb 7, 2025 at 5:01 PM azeem via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello All,
I have two FreeIPA servers running in AWS—one primary and one replica—with the DNS entry ipa.testing.com. These servers are running an older version of FreeIPA on CentOS 7 with expired certificates. I inherited this setup from a previous admin.
Since the certificates have expired, I attempted multiple renewal methods, including rolling back the system time, but nothing worked. As a solution, I set up a new FreeIPA primary server with the same DNS entry ( ipa.testing.com) and added it to the AWS DHCP configuration alongside the old servers. Steps Taken:
Added the new FreeIPA server to the /etc/hosts 123.234.543 test.ipa.testing.com test 2.
Installed FreeIPA using the following command:- ipa-server-install --setup-dns --allow-zone-overlap 3.
The installation completed successfully. I can log into the UI, create users, and manage configurations without issues.
The Problem:
When installing a FreeIPA client, it does not auto-discover the new FreeIPA server unless I explicitly specify it in the command:
ipa-client-install --hostname=$(hostname -f) --mkhomedir --server=newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=IPA.TESTING.COM
Without the --server parameter, auto-discovery fails.
Additionally, after successfully enrolling two clients (client-a and client-b), I am unable to resolve their hostnames between them. When I attempt to ping client-a from client-b, I receive:
Name or service not known
What am I missing?
Why isn’t the client auto-discovering the new FreeIPA server?
Why can’t the clients resolve each other’s hostnames after enrollment?
Is there anything I need to adjust in DNS or DHCP to ensure proper resolution and discovery?
Any help would be greatly appreciated! Thanks in advance.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, Feb 10, 2025 at 7:36 AM Florence Blanc-Renaud via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi,
do your clients use the new IPA server as DNS server? This can be done
prior to calling ipa-client-install.
flo
Adding to the answer, if you want to use Ansible, the ansible-freeipa's [1] ipaclient role (and ipareplica) have settings that automate this step for you.
[1] https://github.com/freeipa/ansible-freeipa
Rafael
On Fri, Feb 7, 2025 at 5:01 PM azeem via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hello All,
I have two FreeIPA servers running in AWS—one primary and one
replica—with the DNS entry ipa.testing.com. These servers are running an older version of FreeIPA on CentOS 7 with expired certificates. I inherited this setup from a previous admin.
Since the certificates have expired, I attempted multiple renewal
methods, including rolling back the system time, but nothing worked. As a solution, I set up a new FreeIPA primary server with the same DNS entry ( ipa.testing.com) and added it to the AWS DHCP configuration alongside the old servers.
Steps Taken:
Added the new FreeIPA server to the /etc/hosts 123.234.543
test.ipa.testing.com test
Installed FreeIPA using the following command:- ipa-server-install
--setup-dns --allow-zone-overlap
The installation completed successfully. I can log into the UI, create
users, and manage configurations without issues.
The Problem:
When installing a FreeIPA client, it does not auto-discover the new
FreeIPA server unless I explicitly specify it in the command:
ipa-client-install --hostname=$(hostname -f) --mkhomedir --server=
newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=IPA.TESTING.COM
Without the --server parameter, auto-discovery fails.
Additionally, after successfully enrolling two clients (client-a and
client-b), I am unable to resolve their hostnames between them. When I attempt to ping client-a from client-b, I receive:
Name or service not known
What am I missing?
Why isn’t the client auto-discovering the new FreeIPA server?
Why can’t the clients resolve each other’s hostnames after enrollment?
Is there anything I need to adjust in DNS or DHCP to ensure proper
resolution and discovery?
Any help would be greatly appreciated! Thanks in advance.
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
freeipa-users@lists.fedorahosted.org
-
azeem -
Florence Blanc-Renaud -
Rafael Jeffman