[Freeipa-users] Enrolling with multiple IPA servers

Alexander Bokovoy abokovoy at redhat.com
Mon Oct 6 18:43:40 UTC 2014

On Mon, 06 Oct 2014, Nordgren, Bryce L -FS wrote:
>> The hostname put by ipa-client-install corresponds to the server to which this
>> client is enrolled.  You enroll with a single server, after all.
>How would one enroll with multiple IPA servers? For instance, a
>standard configuration for a Rocks HPC cluster is to have at least two
>and usually three networks active, with different DNS zones for each.
>The "public" network is "company.example.com", "private" is typically
>an isolated GbE network named "local", and there's usually a fast
>network for real work (Infiniband or 10GbE); let's name it "ipoib" for
>IP over Infiniband. There may also be a slow 100bT network for
I don't think this has anything to do with 'enroll with multiple IPA servers'.

'Enrolling a host' in IPA terms means:
 1. creating a host record + Kerberos principal for host/`hostname`
 2. configuring the client to provide identity information, with
    host/`hostname` as an originator when talking to LDAP and other

As all IPA masters are equal and only differs in additional services
like hosting CA or DNS, a record created at one of them will be
propagated to all of others in the topology. So (1) can be done at any
accessible IPA master.

By default (2) is configured against the server used at (1). If
discovery of IPA master using SRV records was successful, SSSD will have
its configuration pointed to use _srv_ (meaning do dynamic discovery
using SRV records at run time) and using the server this host was
enrolled to as a server of last hope.

If you want to use another strategy, you are welcome to change the
generated configuration to something different.

If you have some masters that are accessible by these isolated nodes,
enroll isolated nodes against these masters. Nobody prevents you to
select your deployment strategy and manipulate configuration files
afterwards. Purpleidea's puppet module even allows you to define IPA
masters' topology right in puppet scripts, if puppet is in use.

>A few machines have access to all three networks
>(headnode.company.example.com, headnode.local, and headnode.ipoib).
>Compute nodes have access to two (compute-0-0.local,
>Is it possible to make a single IPA instance manage the two isolated
>networks (local and ipoib)? Would multiple IPA servers and multiple
>enrollments be required? Once an IPA solution is defined, how does one
>configure openssh/sssd/krb5 on the compute nodes such that Kerberos SSO
>(and NFS server access) works regardless of which isolated network is
>used for communication?  Would the compute nodes' two-network
>configuration be extensible to the headnode's three-network
If you want to make IPA masters available through several interfaces,
you need to select one of that interfaces as primary and add SAN names
to the certificates (LDAP, HTTP) of that server so that any node
enrolled to this master will be able to use it. Think of those nodes as
IPA masters in the isolated network, then enroll your isolated computing
nodes to those masters.

As long as you have means to uniquely identify DNS names of all hosts
and your local IPA master can give you a ticket to a host/`hostname` of
a host in question, things will work on Kerberos level.
/ Alexander Bokovoy

More information about the Freeipa-users mailing list