> On 7 Feb 2018, at 21:51, Andrew Meyer via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > We are trying to deploy FreeIPA in our environment, this will be a mix of > local servers and server to manage auth in EC2. We have a vpn tunnel setup > and are able to communicate across it. Ina Amazon Linux 2 instance I was > able to get FreeIPA installed as a client and am now trying to promote it to > a replica. However I am getting the following error: > > [ec2-user@freeipa-host ~]$ sudo ipa-replica-install --setup-ca > --ssh-trust-dns --mkhomedir --setup-kra > Password for ad...@domain.net <mailto:ad...@domain.net>: > ipa : ERROR Reverse DNS resolution of address 10.10.52.158 > (infra-freeipa1-aws.gatewayblend.net > <http://infra-freeipa1-aws.gatewayblend.net/>) failed. Clients may not > function properly. Please check your DNS setup. (Note that this check queries > IPA DNS directly and ignores /etc/hosts.) > > Doing some digging on Google I found this > https://yyhh.org/blog/2017/12/freeipa-aws-ec2 > <https://yyhh.org/blog/2017/12/freeipa-aws-ec2>. > > In this instance DNS was NOT setup on the FreeIPA machine in AWS and fqdn > were setup in /etc/hosts and /etc/hostname. > > 1) is the the preferred method? > 2) Could I still install DNS on the server in AWS to ONLY manage an internal > zone?
Hello Andrew! In this case, the note in your error message is important: There is no reverse address for 10.10.52.158 in FreeIPA. You’ll need to access it and add the reverse zone in Network Services -> DNS and add a PTR entry for your new replica (10.10.52.158). After this you shouldn’t have problems with setting up replicas. If you use a VPN, you may have to set up a split-horizon DNS, so that your replication traffic will go through the VPN. -- Aljaž Srebrnič a.k.a g5pw My public key: https://g5pw.me/key <https://g5pw.me/key> Key fingerprint = 2109 8131 60CA 01AF 75EC 01BF E140 E1EE A54E E677
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org