[Freeipa-users] Mutli site IPA scenario - DNS issue

Martin Basti mbasti at redhat.com
Tue Mar 14 18:26:18 UTC 2017 


On 14.03.2017 17:05, Jan Karásek wrote:
> Hi,
> please can you point me to right direction with this issue ?
> Scenario: 
> Site A, Site B, IPA in Site A is already installed with DNS, CA  and i want to create replica to Site B.
> OS: RHEL 7.3, IPA 4.4
>
>
> Site A - 192.168.0.0/24
> IPA_A server interfaces:
> eth0: 192.168.0.10       -- access for clients in Site A
> eth1: 192.168.10.100     -- interface to Site B
> domain: sitea.mylab.test
>
>
> Site B - 192.168.1.0/24
> IPA_B server interfaces:
> eth0: 192.168.1.10       -- access for clients in Site B
> eth1: 192.168.10.200     -- interface to Site A
> domain: siteb.mylab.test
>
>  
> IPA clients can reach only servers in their own site via eth0 - no access to IPA servers in other sites.
> Servers can communicate with each other only via eth1.
> I am having trouble to find out how to set DNS records for this scenario. 
>
> Just now I have IPA_A installed and i want to create replica to IPA_B server.
> DNS for zone sitea.mylab.test:
>
> ipa_a    A    192.168.0.10
> ...      SRV  ipa_a.sitea.mylab.test
>
> So just now in DNS I have only A record for interface facing Site A. 
>
> Trouble is that server in Site B (ipa_b) is not able to communicate with server in Site A (ipa_a) via 192.168.0.10 address which it gets from DNS, servers can communicate only on eth1 (192.168.10.0/24).
>
>
> So when I point resolv.conf on IPA_B to IPA_A and try to run 
>
> ipa-replica-install --principal admin --admin-password admin_password --setup-dns --setup-ca ...
>
> I can not access IPA_A server because it is resolving to 192.168.0.10.
>
> So is this supported scenario ? What would be solution ? I can probably fix that in /etc/hosts file, but I would like to keep it all in DNS.
>
> Thank you,
>
> Jan
>
Hello,

this is really nonstandard situation for IPA

I suggest to use just one IP address with IPA to makes things less
complicated, can you leave only 192.168.10.{100|200} for ipaservers and
allow the host subnets to communicate with the particular IPA servers?

Why do you want to prevent clients to communicate with the other IPA
server? You will have no backup for clients in case that one replica failed.

If you just want from clients to prefer closer replica you may want to
use IPA location feature
https://www.freeipa.org/page/Howto/IPA_locations and just keep clients
outside of location failing.


If you really need to separate subnets with different IP addresses, you
need DNS views for that and IPA DNS must be configured to respect that.

Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170314/991292ca/attachment.sig>

More information about the Freeipa-users mailing list