Hi,
this is simply because network design and we are probably not able to change
that at the moment. So IPA clients are restricted to IPA servers in its own
site and only IPA servers are able to do inter site communication.
The plan is to add more IPA server into each site so clients will have backup
servers inside the each site.
Just now I am simply trying to establish first inter site replication to prove
that design is possible.
Jan
- Original Message -
From: "Martin Basti" <mba...@redhat.com>
To: "Jan Karásek" <jan.kara...@elostech.cz>, "freeipa-users"
<freeipa-users@redhat.com>
Sent: Tuesday, March 14, 2017 7:26:18 PM
Subject: Re: [Freeipa-users] Mutli site IPA scenario - DNS issue
On 14.03.2017 17:05, Jan Karásek wrote:
> Hi,
> please can you point me to right direction with this issue ?
> Scenario:
> Site A, Site B, IPA in Site A is already installed with DNS, CA and i want
> to create replica to Site B.
> OS: RHEL 7.3, IPA 4.4
>
>
> Site A - 192.168.0.0/24
> IPA_A server interfaces:
> eth0: 192.168.0.10 -- access for clients in Site A
> eth1: 192.168.10.100 -- interface to Site B
> domain: sitea.mylab.test
>
>
> Site B - 192.168.1.0/24
> IPA_B server interfaces:
> eth0: 192.168.1.10 -- access for clients in Site B
> eth1: 192.168.10.200 -- interface to Site A
> domain: siteb.mylab.test
>
>
> IPA clients can reach only servers in their own site via eth0 - no access to
> IPA servers in other sites.
> Servers can communicate with each other only via eth1.
> I am having trouble to find out how to set DNS records for this scenario.
>
> Just now I have IPA_A installed and i want to create replica to IPA_B server.
> DNS for zone sitea.mylab.test:
>
> ipa_aA192.168.0.10
> ... SRV ipa_a.sitea.mylab.test
>
> So just now in DNS I have only A record for interface facing Site A.
>
> Trouble is that server in Site B (ipa_b) is not able to communicate with
> server in Site A (ipa_a) via 192.168.0.10 address which it gets from DNS,
> servers can communicate only on eth1 (192.168.10.0/24).
>
>
> So when I point resolv.conf on IPA_B to IPA_A and try to run
>
> ipa-replica-install --principal admin --admin-password admin_password
> --setup-dns --setup-ca ...
>
> I can not access IPA_A server because it is resolving to 192.168.0.10.
>
> So is this supported scenario ? What would be solution ? I can probably fix
> that in /etc/hosts file, but I would like to keep it all in DNS.
>
> Thank you,
>
> Jan
>
Hello,
this is really nonstandard situation for IPA
I suggest to use just one IP address with IPA to makes things less
complicated, can you leave only 192.168.10.{100|200} for ipaservers and
allow the host subnets to communicate with the particular IPA servers?
Why do you want to prevent clients to communicate with the other IPA
server? You will have no backup for clients in case that one replica failed.
If you just want from clients to prefer closer replica you may want to
use IPA location feature
https://www.freeipa.org/page/Howto/IPA_locations and just keep clients
outside of location failing.
If you really need to separate subnets with different IP addresses, you
need DNS views for that and IPA DNS must be configured to respect that.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
