FreeIPA access from internet if dc=domain,dc=local (freeipa.domain.local)
Your domain has a serious and unrecoverable mistake: You used a nonexistent domain name ending in .local
as the domain name. You should never use .local
for domain names, and the reasons for this (and the best practices) are much the same as they are for Active Directory.
From FreeIPA Deployment Recommendations:
We strongly recommend that you do not use a domain name that is not delegated to you, even on a private network. For example, you should not use domain name company.int if you don't have valid delegation for it in public DNS tree.
If this rule is not respected, the domain name will be resolved differently depending on the network configuration. As a result, network resources will become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain.
For further information about this issue please see the ICANN FAQ on domain name collisions.
However, unlike Active Directory, it is not possible to rename a FreeIPA domain.
It is not possible to change FreeIPA primary domain and realm after installation. Plan carefully. Do not expect move from lab/staging environment to production environment (e.g. change
lab.example.com
toprod.example.com
)
At this point, your recovery procedure will look something like this:
- Unjoin all hosts from the domain with
ipa-client-install --uninstall
. - Destroy the FreeIPA domain controllers.
- Reinstall the FreeIPA domain controllers, using a correctly chosen domain name.
- Rejoin all hosts to the new domain.
There will definitely be more steps to this if you've created domain services such as kerberized NFS, HTTP, etc. You'll have to set all of these up again on the new domain.
Once you've correctly set up the FreeIPA domain, using a subdomain of your existing domain name, you can set up NS records in that domain so that the subdomain's DNS is reachable from the Internet. After that it's just opening the relevant firewall ports for the services you want to be accessible on the Internet...