Hi, I have placed a load balancer (using netfilter's LVS) before both freeipa
servers (main and replica).
Trying to join a client pointing to this loadbalancer simply doesn't work.
Firewall is tested and all needed ports are open and correctly forwarded to the
freeipa nodes.
Also tried adding the lb dns rec to the existing DNS record types, such as
ldap, kerberos, ns, txt etc..
Has anyone attempted freeipa invalid behind an LB? Is this a terrible idea and
if possible does anyone have any pointers?
ADDING CLIENT RESULTS IN:
Using existing certificate '/etc/ipa/ca.crt'.
Skip idmlb.linux.redacted.invalid: LDAP server is not responding, unable to
verify if this is an IPA server
Failed to verify that idmlb.linux.redacted.invalid is an IPA Server.
This may mean that the remote server is not up or is not reachable due to
network or firewall settings.
Please make sure the following ports are opened in the firewall settings:
TCP: 80, 88, 389
UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly
after enrollment:
TCP: 464
UDP: 464, 123 (if NTP enabled)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for
more information
DEBUG:
2024-06-13T14:18:36Z DEBUG stderr=
2024-06-13T14:18:36Z DEBUG Deleting invalidalid keytab: '/etc/krb5.keytab'.
2024-06-13T14:18:36Z WARNING Using existing certificate '/etc/ipa/ca.crt'.
2024-06-13T14:18:36Z DEBUG [IPA Discovery]
2024-06-13T14:18:36Z DEBUG Starting IPA discovery with
domain=linux.redacted.invalid, servers=['idmlb.linux.redacted.invalid'],
hostname=happyhost.infra.redacted.invalid
2024-06-13T14:18:36Z DEBUG Server and domain forced
2024-06-13T14:18:36Z DEBUG [Kerberos realm search]
2024-06-13T14:18:36Z DEBUG Kerberos realm forced
2024-06-13T14:18:36Z DEBUG [LDAP server check]
2024-06-13T14:18:36Z DEBUG Verifying that idmlb.linux.redacted.invalid (realm
LINUX.redacted.invalid) is an IPA server
2024-06-13T14:18:36Z DEBUG Init LDAP connection to:
ldap://idmlb.linux.redacted.invalid:389
2024-06-13T14:18:36Z DEBUG LDAP Error: cannot connect to
'ldap://idmlb.linux.redacted.invalid:389':
2024-06-13T14:18:36Z WARNING Skip idmlb.linux.redacted.invalid: LDAP server is
not responding, unable to verify if this is an IPA server
2024-06-13T14:18:36Z DEBUG Discovery result: NO_LDAP_SERVER; server=None,
domain=linux.redacted.invalid, kdc=idmlb.linux.redacted.invalid, basedn=None
2024-06-13T14:18:36Z DEBUG Validated servers:
2024-06-13T14:18:36Z ERROR Failed to verify that idmlb.linux.redacted.invalid
is an IPA Server.
2024-06-13T14:18:36Z ERROR This may mean that the remote server is not up or is
not reachable due to network or firewall settings.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
