Alexander,
Thanks for responding.
When I saw that mailing list post with multiple IPA servers configured
while ipa_server_mode was configured as true made me question our
set-up.
John DeSantis
Il giorno mer 14 apr 2021 alle ore 00:42 Alexander Bokovoy
<abokovoy(a)redhat.com> ha scritto:
>
> On ti, 13 huhti 2021, John Desantis via FreeIPA-users wrote:
> >Hello all!
> >
> >I've just perused the list and seem to have found a single entry where
> >an IPA master/replica is configured with the following items:
> >
> >1.) ipa_server_mode = true
> >2.) ipa_server = master, replica1, replica2
> >
> >Is it recommended to have all IPA servers listed in the server's
> >sssd.conf? For example:
> >
> ># master
> >ipa_server = master.domain, replica.domain
> >ipa_server_mode = true
> >
> ># replica
> >ipa_server = replica.domain, master.domain
> >ipa_server_mode = true
> >
> >The idea is that `sssctl domain-status` would return all possible IPA
> >servers on the server itself, vs. just itself.
>
> IPA servers should only have themselves in the 'ipa_server' option when
> 'ipa_Server_mode = true'. It should either work or fail as a whole unit
> as a domain controller.
>
> This is documented in sssd-ipa(5) manual page:
>
> ipa_server_mode (boolean)
> This option will be set by the IPA installer
> (ipa-server-install) automatically and denotes if SSSD is
> running on an IPA server or not.
>
> On an IPA server SSSD will lookup users and groups from
> trusted domains directly while on a client it will ask an IPA
> server.
>
> NOTE: There are currently some assumptions that must be met
> when SSSD is running on an IPA server.
>
> • The “ipa_server” option must be configured to point to
> the IPA server itself. This is already the default set by the
> IPA installer, so no manual change is required.
>
> • The “full_name_format” option must not be tweaked to only
> print short names for users from trusted domains.
>
> Default: false
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>