hi gents,
I wonder if IPA when setup up on an "isolated" network segment, having one single point of communicating with outside, which specifically means Win AD, would established a trust and work okey later.
A briefly sketched example...
1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA floating one IP between IPAs masters on 192.168.2.0, which is where whole Win AD is(and the rest of intranet).
DNS is where the devil is, details. Can it be done?
I read that zone views are discouraged and I do not think IPA's DNS support those anyway.
Can DNS be "completed" without harming IPA in a way that incoming trust from AD can be achieved in above scenario?
many thanks, L.
Hi,
On Fri, Jan 25, 2019 at 2:06 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi gents,
I wonder if IPA when setup up on an "isolated" network segment, having one single point of communicating with outside, which specifically means Win AD, would established a trust and work okey later.
A briefly sketched example...
1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA floating one IP between IPAs masters on 192.168.2.0, which is where whole Win AD is(and the rest of intranet).
DNS is where the devil is, details. Can it be done?
Please read: https://www.redhat.com/archives/freeipa-users/2015-March/msg00983.html and: https://www.redhat.com/archives/freeipa-users/2015-March/msg00989.html
You could try putting two replica on the 192.168.2.0 network and configure them to handle the trust.
François
I read that zone views are discouraged and I do not think IPA's DNS support those anyway.
Can DNS be "completed" without harming IPA in a way that incoming trust from AD can be achieved in above scenario?
many thanks, L.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Sat, Jan 26, 2019 at 11:21 AM François Cami fcami@redhat.com wrote:
Hi,
On Fri, Jan 25, 2019 at 2:06 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi gents,
I wonder if IPA when setup up on an "isolated" network segment, having one single point of communicating with outside, which specifically means Win AD, would established a trust and work okey later.
A briefly sketched example...
1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA floating one IP between IPAs masters on 192.168.2.0, which is where whole Win AD is(and the rest of intranet).
DNS is where the devil is, details. Can it be done?
Please read: https://www.redhat.com/archives/freeipa-users/2015-March/msg00983.html and: https://www.redhat.com/archives/freeipa-users/2015-March/msg00989.html
You could try putting two replica on the 192.168.2.0 network and configure them to handle the trust.
Or, rather, please tell us what you are trying to achieve and we might be able to propose a way.
I read that zone views are discouraged and I do not think IPA's DNS support those anyway.
Can DNS be "completed" without harming IPA in a way that incoming trust from AD can be achieved in above scenario?
many thanks, L.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 26/01/2019 15:02, François Cami wrote:
On Sat, Jan 26, 2019 at 11:21 AM François Cami fcami@redhat.com wrote:
Hi,
On Fri, Jan 25, 2019 at 2:06 PM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
hi gents,
I wonder if IPA when setup up on an "isolated" network segment, having one single point of communicating with outside, which specifically means Win AD, would established a trust and work okey later.
A briefly sketched example...
1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA floating one IP between IPAs masters on 192.168.2.0, which is where whole Win AD is(and the rest of intranet).
DNS is where the devil is, details. Can it be done?
Please read: https://www.redhat.com/archives/freeipa-users/2015-March/msg00983.html and: https://www.redhat.com/archives/freeipa-users/2015-March/msg00989.html
You could try putting two replica on the 192.168.2.0 network and configure them to handle the trust.
Or, rather, please tell us what you are trying to achieve and we might be able to propose a way.
I described what I'd like to achieve in my first email.
Links to archived discussions point to thread about "load balancing" it's not what looking at.
I'm simply asking, if in multimaster setup at any given time only one master server had access to AD's network (and since I'm specifically looking at one-way(incoming) trust I do not say: AD would have access to only one IPA's master) would "everything" be okey and work?
It seems to work in my "lab" setup.
Why it may work just fine for me is - that the "floating" IP on 192.168.2.0 would also be the ONLY one which clients(all from AD(also rest of the Intranet)) side would need to access.
I'm not sure about DNS. If AD need access to all IPA's masters at all times, then I'd have to try "cheat" with DNS view-like solution or just by crafting records in such a way that it would work for AD.
In my short testing, where we usually specifically look at users accounts as this is what AD is for, from our perspective, it seems to work. Users get "resolved" when IP floats over to a server, on that server user accounts get updated, this servers pulls in any new "stuff" from AD, even though it was unable to communicate to AD for some time. It all seems good.
But it's all about the devil and it hides in details, and those would be best to ask about the devel, thus asking here.
many thanks, L.
I read that zone views are discouraged and I do not think IPA's DNS support those anyway.
Can DNS be "completed" without harming IPA in a way that incoming trust from AD can be achieved in above scenario?
many thanks, L.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org