Dmitry Krasov via FreeIPA-users wrote:
My enroll command:
sudo ipa-client-install --fixed-primary --enable-dns-updates --server ipa.dom.loc
--domain dom.loc --mkhomedir --force-join -p admin -w password -U
----client sssd.conf:
[domain/dom.loc]
id_provider = ipa
ipa_server = ipa. dom.loc
ipa_domain = dom.loc
ipa_hostname = desktoppc.dom.loc
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = ens18
krb5_store_password_if_offline = True
[sssd]
services = nss, pam, ssh, sudo
domains = dom.loc
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[session_recording]
---------------
So, failover should be fine?
No. --fixed-primary configures SSSD to only use a specific IPA server.
For failover you either need multiple server (there is no option for
this) or don't use fixed-primary and SSSD will be configured with _srv_
so that it can find other IPA servers in DNS.
rob