Hi, I already found a few threads with people with the similar issue but i was not able to find one pointing to the right solution. Maybe someone can give me a direction in case there is one that i overlooked:
We run a Datacenter with lots of vlans and different networks. Each network has a different (sub)Domain. (I replaced our domain with tld in this thread) The IPA Servers reside in a infrastructure network: "back.inf.tld.de". The REALM is called "auth.tld.de" (and the hostnames of the ipa servers is also *.auth.tld.de That works very well, i can connect clients from all networks with all kinds of fqdns as long as they can reach the IP associated with that name. But i have I few networks that can not reach this network (intentional) so I added a second network card to the ipa servers with a new set of hostnames -> "*.store.tld.de" I added the kerberos config / SRV Records into the zone that is managed by one of our dns servers (not managed by ipa) so discovery works fine. First Problem was the missing SANs for the services like ldap,httpd etc. That was easy to solve by adding principal aliases and use the ipa-getcert tool to re-issue the certificates. Now when running ipa-client-install --mkhomedir --domain=store.tld.de --realm=AUTH.TLD.DE it looks okay until it tries to communicate with the http service to POST data to ipa01.store.tld.de/ipa/xml. It answers with: <?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <fault>\n <value><struct>\n <member>\n <name>faultCode</name>\n <value><int>911</int></value>\n </member>\n <member>\n <name>faultString</name>\n <value><string>Missing or invalid HTTP Referer, https://ipa01-ka.tld.d0m.de/ipa/xml</string></value>\n </member>\n </struct></value>\n </fault>\n </methodResponse>\n RPC failed at server. Missing or invalid HTTP Referer, https://ipa01-ka.tld.d0m.de/ipa/xml I tried rewriting the request on the ipa server via mod-rewrite but failed. Does somebody managed to get this to work ? This has to be a common thing to archive, right ? There are always protected networks (like those you put the SPs in) that you don't want to route into other networks. Greetings Ju _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
