[Freeipa-users] Enrolling with multiple IPA servers

Dmitri Pal dpal at redhat.com
Mon Oct 6 18:41:51 UTC 2014

On 10/06/2014 01:54 PM, Nordgren, Bryce L -FS wrote:
>> The hostname put by ipa-client-install corresponds to the server to which this
>> client is enrolled.  You enroll with a single server, after all.
> How would one enroll with multiple IPA servers? For instance, a standard configuration for a Rocks HPC cluster is to have at least two and usually three networks active, with different DNS zones for each. The "public" network is "company.example.com", "private" is typically an isolated GbE network named "local", and there's usually a fast network for real work (Infiniband or 10GbE); let's name it "ipoib" for IP over Infiniband. There may also be a slow 100bT network for management.
> A few machines have access to all three networks (headnode.company.example.com, headnode.local, and headnode.ipoib). Compute nodes have access to two (compute-0-0.local, compute-0-0.ipoib).
> Is it possible to make a single IPA instance manage the two isolated networks (local and ipoib)? Would multiple IPA servers and multiple enrollments be required? Once an IPA solution is defined, how does one configure openssh/sssd/krb5 on the compute nodes such that Kerberos SSO (and NFS server access) works regardless of which isolated network is used for communication?
> Would the compute nodes' two-network configuration be extensible to the headnode's three-network configuration?

IPA can manage several DNS zones but so far clients can only be a part 
of one DNS zone. I am not sure how the name resolution would work in 
case the client is accessible via several networks. I suspect the 
kerberos client would need to have some sort of setting that would 
indicate that despite how it is resolved via net A, B, or C it should 
map to the same principal and key. I would be surprised if there is not 
such override in the krb5.conf but I do not know for sure.

> Thanks,
> Bryce
> This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list