Hi,
I already found a few threads with people with the similar issue but i was not able to find one pointing to the right solution. Maybe someone can give me a direction in case there is one that i overlooked:
We run a Datacenter with lots of vlans and different networks. Each network has a different (sub)Domain. (I replaced our domain with tld in this thread) The IPA Servers reside in a infrastructure network: "back.inf.tld.de". The REALM is called "auth.tld.de" (and the hostnames of the ipa servers is also *.auth.tld.de That works very well, i can connect clients from all networks with all kinds of fqdns as long as they can reach the IP associated with that name.
But i have I few networks that can not reach this network (intentional) so I added a second network card to the ipa servers with a new set of hostnames -> "*.store.tld.de" I added the kerberos config / SRV Records into the zone that is managed by one of our dns servers (not managed by ipa) so discovery works fine. First Problem was the missing SANs for the services like ldap,httpd etc. That was easy to solve by adding principal aliases and use the ipa-getcert tool to re-issue the certificates.
Now when running ipa-client-install --mkhomedir --domain=store.tld.de --realm=AUTH.TLD.DE it looks okay until it tries to communicate with the http service to POST data to ipa01.store.tld.de/ipa/xml. It answers with:
<?xml version='1.0' encoding='UTF-8'?>\n <methodResponse>\n <fault>\n <value><struct>\n <member>\n <name>faultCode</name>\n <value><int>911</int></value>\n </member>\n <member>\n <name>faultString</name>\n <value><string>Missing or invalid HTTP Referer, https://ipa01-ka.tld.d0m.de/ipa/xml</string></value>\n </member>\n </struct></value>\n </fault>\n </methodResponse>\n
RPC failed at server. Missing or invalid HTTP Referer, https://ipa01-ka.tld.d0m.de/ipa/xml
I tried rewriting the request on the ipa server via mod-rewrite but failed. Does somebody managed to get this to work ? This has to be a common thing to archive, right ? There are always protected networks (like those you put the SPs in) that you don't want to route into other networks.
Greetings Ju
On Wed, 05 Aug 2020 12:57:14 -0000 julian jost via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi,
Hello Julian,
I already found a few threads with people with the similar issue but i was not able to find one pointing to the right solution. Maybe someone can give me a direction in case there is one that i overlooked:
When you search for 'IPA with multiple legs: hostname resolution' in the mailinglist archives, you will find some discussion and github Pull Request [1] which should give you some clues to get a multi homed environment. Remember the changes might make your installation less secure. And of course it is not supported.
[cut problem with FreeIPA being single homed]
[1] https://github.com/abbra/freeipa/pull/9/files
Hi Stefan,
Thank you for the information, it was exactly what i was looking for. I tried it and it worked. Host successfully enrolled.
Greetings Ju
freeipa-users@lists.fedorahosted.org