Hello. just installed replica (ipa2.dom.loc), it seems works fine.
But how enrolled clients will know about this replica, if primary server will be down? And how to make ipa2.dom.loc to work as primary server?
Hi, The difference between server and replica is crl generation role. If you want to promote another server in topology to be a CRL master, you can look at https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master. for the other part, I found this https://serverfault.com/questions/751815/how-does-ipa-client-know-when-ipa-f...
On Mon, May 6, 2024 at 12:27 PM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello. just installed replica (ipa2.dom.loc), it seems works fine.
But how enrolled clients will know about this replica, if primary server will be down? And how to make ipa2.dom.loc to work as primary server? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Mon, May 6, 2024 at 8:57 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello. just installed replica (ipa2.dom.loc), it seems works fine.
But how enrolled clients will know about this replica, if primary server will be down?
If you installed the clients using DNS Autodiscovery i.e. without the --server option (please refer to ipa-client-install(1) man page, especially the sections *DNS Autodiscovery* and *The Failover Mechanism*), then the failover should happen automatically. When the client's SSSD configuration file (/etc/sssd/sssd.conf) contains the _srv_ keyword in the ipa_server parameter, it means that SSSD uses service discovery through DNS to find an active server. More information in sssd-ipa(5) man page, in the *Failover* and *Service Discovery* sections.
Hope this clarifies, flo
And how to make ipa2.dom.loc to work as primary server?
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
My enroll command:
sudo ipa-client-install --fixed-primary --enable-dns-updates --server ipa.dom.loc --domain dom.loc --mkhomedir --force-join -p admin -w password -U ----client sssd.conf:
[domain/dom.loc]
id_provider = ipa
ipa_server = ipa. dom.loc
ipa_domain = dom.loc
ipa_hostname = desktoppc.dom.loc
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo domains = dom.loc
[nss]
homedir_substring = /home
[pam] [sudo] [autofs] [ssh] [pac] [ifp] [session_recording] ---------------
So, failover should be fine?
Dmitry Krasov via FreeIPA-users wrote:
My enroll command:
sudo ipa-client-install --fixed-primary --enable-dns-updates --server ipa.dom.loc --domain dom.loc --mkhomedir --force-join -p admin -w password -U ----client sssd.conf:
[domain/dom.loc]
id_provider = ipa
ipa_server = ipa. dom.loc
ipa_domain = dom.loc
ipa_hostname = desktoppc.dom.loc
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo domains = dom.loc
[nss]
homedir_substring = /home
[pam] [sudo] [autofs] [ssh] [pac] [ifp] [session_recording]
So, failover should be fine?
No. --fixed-primary configures SSSD to only use a specific IPA server.
For failover you either need multiple server (there is no option for this) or don't use fixed-primary and SSSD will be configured with _srv_ so that it can find other IPA servers in DNS.
rob
If I will change line in sssd.conf file to "ipa_server = ipa_server = _srv_, ipa.dom.loc" on existent enrolled clients. Will they work fine with failover?
Dmitry Krasov via FreeIPA-users wrote:
If I will change line in sssd.conf file to "ipa_server = ipa_server = _srv_, ipa.dom.loc" on existent enrolled clients. Will they work fine with failover?
You duplicated ipa_server = but otherwise yes.
You can have the _srv_ last if you want to point to a specific server as primary.
rob
freeipa-users@lists.fedorahosted.org
-
Dmitry Krasov -
Florence Blanc-Renaud -
Rizwan Shaikh -
Rob Crittenden