On ma, 07 tammi 2019, William Muriithi via FreeIPA-users wrote:
I have an IPA clients that has both IPv4 and IPv6 addresses. One of the
IPA client is in the office and hence can reach the IPA server on both IPv4
and IPv6. However, the client outside the LAN can only reach the IPA server
I was able to enroll the external client fine over IPv6 and from the logs,
all clean. However, when I attempted to ssh, its not able to retreave the
user from IPA. The client in the office works fine. I can also make for
example LDAP queries and they work over IPv6 fine. It looks like kerberos
is somehow however using IPv4. I reached this conclusion after taking a
tcpdump when attempting to ssh to the server and the kerberos traffic from
the client to IPA is on IPv4.
What would I need to do on the IPA client for it to prefer IPv6? I am
aware I could remove IPv4 address from DNS, but that would break any
communication from IPv4 only systems. Any assistance would be appreaciated.
that SSSD-generated kdcinfo has IPv6 only addresses in
/var/lib/sss/pubconf/. If not, you need to set
lookup_family_order = ipv6_only
in the domain section in sssd.conf (it defaults to ipv4_first) and
SSSD ensures that KDC discovery in libkrb5 is consistent with SSSD settings through
a KDC locator plugin. SSSD KDC locator plugin uses common name
resolution settings from SSSD.
See man page sssd.conf for details.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland