Dear all, TLDR; We have an IPA setup consisting of four replicas (2 CA, 2 non-CA) without any of the DNS records that ‘ipa dns-update-system-records‘ suggests and we share our DNS domain with AD. Will we have any issues, assuming that we are not using Kerberos automatic discovery, the krb, sssd and ipa configuration files have the servers explicitly configured and we are not using trust to Active Directory?
I have inherited a 10-year-old FreeIPA setup with four replicas, which is in a non-supported configuration according to RedHat support, but has always worked fine for us. I would like to know if we can keep it running like it is, or if we will face issues in the future and if yes, which ones. We are a small sub-group in a bigger organization managing our own Linux VMs. We manage SSH login with sssd and LDAP logins to web services with FreeIPA. Our parent organization runs Active Directory and the DNS servers on the same domain that we have configured in FreeIPA. We do not have any trust relationship with the Active Directory and won’t ever be allowed to have it, either. We do not want any auto-discovery to happen, to make sure other people’s machines don’t accidentally try to contact or enroll with our infrastructure. Therefore, we have no DNS records at all anywhere pointing to our IPA servers and instead always configure this explicitly in the client and server install and ipa, sssd and krb configuration files. We are in the process of migrating to RHEL 8 and the new ipa-healthcheck complains on various levels about the missing DNS records (error for ipa-ca, warning for the rest). RedHat support insisted that we need to migrate our setup to a different domain and create the DNS records. However, migration would be a huge challenge, because there is no procedure to migrate all data in IPA (we have quite extensive HBAC rules) and the DNS records we don’t want to create to prevent auto-discovery and also wouldn’t be allowed from the parent organization. I would appreciate if someone could tell me the actual issues that we could encounter running this setup with multiple (2 CA, 2 non-CA) replicas. I’m mostly concerned about complications with replication or certificates (renewal). Best regards, Sarah
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
