[Freeipa-users] multihome - single interface?
Janne Blomqvist
janne.blomqvist at aalto.fi
Fri Apr 10 08:52:02 UTC 2015
On 2015-04-07 14:29, Martin Kosek wrote:
> On 04/05/2015 08:03 PM, Dmitri Pal wrote:
> > On 04/05/2015 12:51 PM, Janelle wrote:
> >> Hello,
> >>
> >> Trying to find a way on a multi-homed server to force IPA and its
> related
> >> apps to listen on a specific interface. I can find all kinds of
> info saying
> >> "the services listen on all interfaces by default" so there must be
> a way?
> >>
> >> Thank you
> >> ~J
> >>
> > Sounds familiar.
> > I think there is a ticket open for that.
>
> This is the RFE:
>
> https://fedorahosted.org/freeipa/ticket/3338
>
> Just in case anybody would like to help us extend FreeIPA installers :-)
>
Hi,
I have a related, or opposite really, problem.
So I have configured IPA for a domain (say, ipa.example.org). Then I
have a bunch of client machines that can join the domain etc. Fine so far.
However, I also have another bunch of client machines on an internal
network (with NAT access to the outside world). So for these I add
another network interface on the ipa servers. So my ipa servers have
two IP's and dns names, say, ipa1.ipa.example.org (some public IP) and
ipa1.local (10.x.x.x IP). Now it doesn't work so well anymore for these
clients, because the krb principals for the IPA server(s) are bound to
the public name, so joining the domain fails (ipa1.local !=
ipa1.ipa.example.org). I can sort-of make it work by joining via the
public interface (manually creating the machine accounts on the ipa
server first, since otherwise it doesn't understand clientX.local dns
names/IP's), but then obviously all communication goes via the NAT box
which is a SPOF.
So is there some reasonable way to make the above work? Can I just add
krb principals for ipa1.local on the ipa server manually with kadmin? Or
do I have to setup another pair of IPA servers for the internal network,
with some kind of sync/trust with the public IPA servers?
--
Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist
Aalto University School of Science, PHYS & NBE
+358503841576 || janne.blomqvist at aalto.fi
More information about the Freeipa-users
mailing list