On 2015-04-10 12:05, Petr Spacek wrote: > On 10.4.2015 10:52, Janne Blomqvist wrote: > > On 2015-04-07 14:29, Martin Kosek wrote: > >> On 04/05/2015 08:03 PM, Dmitri Pal wrote: > >>> On 04/05/2015 12:51 PM, Janelle wrote: > >>>> Hello, > >>>> > >>>> Trying to find a way on a multi-homed server to force IPA and its > >> related > >>>> apps to listen on a specific interface. I can find all kinds of > >> info saying > >>>> "the services listen on all interfaces by default" so there must be > >> a way? > >>>> > >>>> Thank you > >>>> ~J > >>>> > >>> Sounds familiar. > >>> I think there is a ticket open for that. > >> > >> This is the RFE: > >> > >> https://fedorahosted.org/freeipa/ticket/3338 > >> > >> Just in case anybody would like to help us extend FreeIPA installers :-) > >> > > > > Hi, > > > > I have a related, or opposite really, problem. > > > > So I have configured IPA for a domain (say, ipa.example.org). Then I have a > > bunch of client machines that can join the domain etc. Fine so far. > > > > However, I also have another bunch of client machines on an internal network > > (with NAT access to the outside world). So for these I add another network > > interface on the ipa servers. So my ipa servers have two IP's and dns > > names, > > say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now > > it doesn't work so well anymore for these clients, because the krb > > principals > > for the IPA server(s) are bound to the public name, so joining the domain > > fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by > > joining via the public interface (manually creating the machine accounts on > > the ipa server first, since otherwise it doesn't understand clientX.local > > dns > > names/IP's), but then obviously all communication goes via the NAT box which > > is a SPOF. > > > > So is there some reasonable way to make the above work? > > IMHO cleanest solution is to properly configure routing in your network to > route your public IP range properly to the respective subnet instead of going > through a NAT. > > Details depend on your network so I do not have exact steps for you, sorry. > Thanks. So do you mean something like on each client machine in the NATed network I add special routes to the ipa servers? And by that the client machines would know that ipa1.ipa.example.org can be reached via ipa1.local instead of going via the default route (which is the NAT box)?
-- Janne Blomqvist, D.Sc. (Tech.), Scientific Computing Specialist Aalto University School of Science, PHYS & NBE +358503841576 || janne.blomqv...@aalto.fi -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
