Hello, I am using CentOS 7.3 and FreeIPA 4.4.
I have one FreeIPA server and several FreeIPA clients. SSH SSO has been working fine (via Kerberos). Call the network they reside on 192.168.1.0/24 (the "primary" network). I recently added a second NIC to each of the clients. Thus, all clients share a presence on a secondary, private network. The server does not have a presence on this network. Call this network 192.168.2.0/24 (the "secondary" network). Since each client has two IP addresses, it has two hostnames configured in DNS. Call these the "primary" (corresponding to the client's address in 192.168.1.0/24) and "secondary (corresponding to the client's address in 192.168.2.0/24) hostnames. Of course, reverse (PTR) records are also setup to map the IP addresses back to the corresponding hostnames. Hostnames and IP addresses are as follows: server.example.com: 192.168.1.1 client-1.example.com (primary): 192.168.1.2 client-1-eth1.example.com (secondary): 192.168.2.2 client-2.example.com (primary): 192.168.1.3 client-2-eth1.example.com (secondary): 192.168.2.3 I configured the server as follows: ipa-server-install \ -r EXAMPLE.COM \ -n example.com \ --mkhomedir \ --hostname=server.example.com \ --ip-address=192.168.1.1 \ --ssh-trust-dns \ --setup-dns \ --auto-forwarders \ --forward-policy=only \ --auto-reverse \ --dirsrv-cert-file=<path to server SSL certificate> \ --http-cert-file=<path to server SSL certificate> \ --no-dnssec-validation --auto-reverse did not appear to work, so I manually added the DNS PTR record 192.168.1.1 --> server.example.com I configured the clients as follows: ipa-client-install \ --force-ntpd \ -p admin \ -W \ --mkhomedir \ --no-nisdomain \ --ssh-trust-dns Again, I had to manually add DNS PTR records: 192.168.1.2 --> client-1.example.com 192.168.1.3 --> client-2.example.com At this point I can SSH between the server and clients just fine without being prompted to accept an SSH host key and without being prompted for my password. SSH SSO via Kerberos is working fine on the primary network. Now I need to get SSH SSO working on the secondary network. To accomplish this, I did the following: On client-1: ipa-join -h client-1-eth1.example.com On client-2: ipa-join -h client-2-eth1.example.com This caused forward DNS records (i.e. A records) to be created, but once again, reverse records were not created, so I manually added the following PTR records to DNS: 192.168.2.2 --> client-1-eth1.example.com 192.168.2.3 --> client-2-eth1.example.com At this point, I am now prompted to accept a host key, so SSO is not yet working on the secondary network. If I go ahead and accept the host key, I am *not*, however, prompted for my password. So, the user authentication part of SSO is working on the secondary network, but the host authentication part of SSO is *not* working on the secondary network. I have observed the following in the FreeIPA web interface: 1. Under Identity --> Hosts, client-1-eth1.example.com and client-2-eth1.example.com exist. 2. client-1-eth1.example.com and client-2-eth1.example.com do not have any SSH host keys associated with them. 3. Under Network Services --> DNS --> DNS Zones --> example.com, client-1-eth1.example.com and client-2-eth1.example.com have no SSHFP records. 4. If I manually add SSH host keys under Identity --> Hosts for the clients but do *not* manually add corresponding SSHFP records to DNS, I *can* SSH to a client's secondary interface without being prompted to accept an SSH host key (i.e. SSO *does* work on the secondary interface) 5. If I manually add SSHFP records to DNS for the clients but do *not* add the corresponding SSH host keys under Identity --> Hosts, I *cannot* SSH to a client's secondary interface without being prompted to accept an SSH host key (i.e. SSO *does not* work on the secondary interface) What must I do to get the client's secondary hostnames properly enrolled in FreeIPA so that SSH SSO works when using those secondary hostnames? Thanks, Dave _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KU4LCVKEIHJCETPBUS3Y5M7FZCJ7YK6J/
