Hello FreeIPA-Users mailing list, Appreciate the hard work put into building FreeIPA. I have a bit of a dilemma. On three separate isolated identical network environments, I have a cluster of FreeIPA servers running on CentOS 7 (FreeIPA Server 4.6.8-5). Replication is broken on all three environments - errors in the Dirsrv log indicate communication timeouts, and inability for the replicas to authenticate their Kerberos tickets. All machines have a 15 minute kerberos timeout set in krb5.conf due to security requirements. The environments have consistent NTP time off of the network equipment with drift between sites measured less than 5 seconds.
Trying to manually force-sync does not work - the replication just times out. Eventually user entry changes replicate across the 3 isolated domains, but only on the servers that are on the same layer 2 network. To rule out network security blocking the replication traffic I disabled switch ACLs and VM firewalls temporarily - no change on the broken replicas. On one of the three networks, I rebuilt the malfunctioning replicas from scratch - same hardening baseline. The new instances of IPA were not able to replicate to the original primary server, but they do pull in all of the domain information on first setup. I then tried making a totally new IPA server on the same baseline with a new host name not seen in the domain before - this works perfectly. One of my colleagues who maintains a separate IPA cluster stated that he was unable to reuse replica host names when he rebuilt replica systems on Rocky 8 and RHEL8. Short questions: - Can an IPA Server have its krb5.conf Kerberos session timeout set as low as 15 minutes? Or do I need to keep this higher? - If I can't get force-sync to work, and I can't use re-initialize either, is the only route to rebuild the replica? - Can host names of IPA servers be reused on rebuild? If so, what needs to be cleaned out of the domain? I did make sure the old instance of a replica was wiped from DNS, CA, and Replication agreements after the ipa-replica-manage del. - Are there known settings in the DISA STIG for RHEL7 or the CIS Level2 hardening benchmark that break IPA functionality post-install? - What would be the best replication topology for an environment of 3 IPA servers in 2 locations, and 2 IPA servers in a third location? Network latency between locations is sub-10ms and very consistent. If you need log entries I can provide general error messages but not the whole log. Thank you very much for any pointers/advice. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
