I think I see the problem - I am really trying to do Split DNS in this configuration. So I need to keep DNS working, but somehow there must be a way to have the replica on the outside of the firewall understand that there is split DNS involved. I am having an issue figuring out if FreeIPA DNS can do that? Any pointers to some docs?


On 6/20/17 1:32 PM, Kat wrote:
Here is an odd problem (I think).

I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with --

ipa-replica-install --setup-dns --forwarder=10.x.x.x --setup-ca

It fails, because when it tries to lookup the master on the other side of the NAT FW, of course it resolves incorrectly. The first failure is conn-check, so even if I --skip-conncheck, it still fails since DNS will not resolve.



