Hi all,
I have ran into a bit of a surprise (for me anyway). After adding a second
NIC to my FreeIPA server in order to provide IPA services for the same
realm to a second network, I am unable to join clients to it and am getting
the following error:
2020-01-29T19:15:55Z DEBUG stderr=
2020-01-29T19:15:55Z DEBUG trying to retrieve CA cert via LDAP from
freeipa.cluster
2020-01-29T19:15:55Z DEBUG get_ca_certs_from_ldap() error: Insufficient
access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server krbtgt/CLUSTER@<original
domain> not found in Kerberos database)
2020-01-29T19:15:55Z DEBUG Insufficient access: SASL(-1): generic failure:
GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server krbtgt/CLUSTER@<original domain> not found in Kerberos
database)
After doing quite a bit of Googling it appears that multi-homed IPA servers
are not currently supported?
I decided to try something and added the FQDN for the FreeIPA server to the
client's /etc/hosts file, and pointed the FQDN to the secondary IP of the
server, and that appears to have worked properly. The client install
completed without any error via the second network.
Is this the bandaid approach that is currently the best method of doing
this? Is there a better way?
Thanks for the insight!
Show replies by date