Hello,
I have two datacenters. One is self hosted so all the docs are working just
fine. The second one is AWS.
I've managed to setup replica between "static" DC , "DC1", and AWS "cloud"
DC with all its problems.
There are still issues to solve within AWS.
But "static" which has Bind name servers is not working properly.
Client hosts are using my external DNSs, with proper zone delegation to IPA.
And are slaves of zone delegated to FreeIPA - so they do receive all
updates from IPA.
Default TTL lowered to 5min.
Configured IPA locations.
During install ipa-client-install in "DC1" chooses wrong IPA server, one
dedicated for AWS.
And because of our security policies clients are not allowed to communicate
with AWS IPA - so installation completely fails.
At some point randomly of course it chooses correct IPA server.
dig on every host in network shows correct priorities and weights.
Below I will paste related configs outputs:
; auth.tld zone delegation
> auth.tld. IN NS ipa.auth.tld.
> auth.tld. IN NS dns1.tld.
> ipa.auth.tld. IN A 10.200.10.9
> ipa-aws.auth.tld. IN A 10.70.83.86
on client host, and every other dig looks like:
> # dig +short _ldap._tcp.auth.tld SRV
> _ldap._tcp.dc1._locations.auth.tld.
> 0 100 389 ipa.auth.tld.
> 50 100 389 ipa-aws.auth.tld.
or putting servers on different positions but still with correct priorities:
> dig +short _ldap._tcp.auth.tld SRV
> _ldap._tcp.dc1._locations.auth.tld.
> 50 100 389 ipa-aws.auth.tld.
> 0 100 389 ipa.auth.tld.
[root@client-001 ~]# /usr/sbin/ipa-client-install --domain='auth.tld'
> --principal='hostreg' --password='xxxxxxx' --mkhomedir --no-sshd --no-ntp
> Discovery was successful!
> Client hostname: client-001.dmz.dc1.tld
> Realm: AUTH.tld
> DNS Domain: auth.tld
> IPA Server: ipa-aws.auth.tld
> BaseDN: dc=auth,dc=tld
> Continue to configure the system with these values? [no]: no
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.
I don't understand, why if dig shows correct priorities information,
ipa-client-install is choosing wrong server.
Looks like ipa-client install not treating priorities and is choosing first
ipa server from dig list.
Can't find out what I'm missing