On Wed, Jan 29, 2020 at 11:34 AM Florence Blanc-Renaud <flo@redhat.com> wrote:

On 1/29/20 3:54 PM, Russell Jones via FreeIPA-users wrote:
> Hi Rob,
>
> Thanks for the info! Sorry I wasn't clear. Here's some more info about
> what is happening on my end so that we can verify it's what is actually
> supposed to happen.
>
> The command that is being ran to bind these nodes to the domain is:
>
> ipa-client-install --force-join --no-nisdomain --domain=<removed> -U
> -p <enrollment username> -w <enrollment password>
>
>
>
> What I expected to happen: Since I did not pass any fixed servers, the
> client will depend solely on the SRV records to autodiscover and configure.
>
> What happens: It *does* auto discover and configure, but also places an
> actual server hostname on the ipa_server line as well.

This behavior didn't change recently. I checked in IPA 3.3 and it was
already the case.
From sssd-ipa man page this setting seems recommended as it allows to
use service discovery whenever possible but also sets a fall-back to the
specified server if the discovery is failing.

>
> The downside (if it actually is one?): As a result of this, when I run
> sssctl domain-status, the server that is listed under ipa_server gets
> shown twice in the domain status output. Example:
>
> [root@rdhpc-n1 xcatpost]# sssctl domain-status <removed>
> Online status: Online
> Active servers:
> IPA: freeipa2.<removed>
> Discovered IPA servers:
> - freeipa2.<removed>
> - freeipa.<removed>
> *- freeipa3.*<removed>*
> - freeipa3.*<removed>
>
>
Just a guess on my side but the first occurrence was probably found
using discovery and the second using the fixed server name. You should
check with sssd users mailing list (sssd-users@lists.fedorahosted.org)
if you want a confirmation.

HTH,
flo
>
>
>
> Here's what my sssd.conf looks like after the above ipa-client-install
> is ran. Note the existence of both "_srv_" and "freeipa3" on the
> ipa_server line:
>
> [domain/<removed>l]
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = <removed>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = rdhpc-n1.nxcluster
> chpass_provider = ipa
> *ipa_server = _srv_, freeipa3.<removed>*
> dns_discovery_domain = <removed>
> autofs_provider = ipa
> ipa_automount_location = default
> [sssd]
> services = nss, sudo, pam, autofs, ssh
> domains = <removed>
> [nss]
> homedir_substring = /home
> [pam]
> [sudo]
> [autofs]
> [ssh]
> [pac]
> [ifp]
> [secrets]
> [session_recording]
>
>
> On Tue, Jan 28, 2020 at 1:22 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Russell Jones via FreeIPA-users wrote:
> > I'm running "ipa-client-install --force-join --no-nisdomain -U",
> and it
> > auto discovers my freeipa servers, but places both _srv_ and the
> first
> > server under the "ipa_server" line. This results in the first server
> > being listed twice when running "sssctl domain-status".
>
> I think you need to be clearer about what you're seeing.
>
> > Is this expected behavior? Is this behavior that I actually want?
> >
> >
> > Just trying to understand better. Thank you for any insight!
>
> It very well could be a bug in sssd but _srv_ is included so sssd can
> fall back to other servers discovered using SRV records if the listed
> master(s) are not reachable.
>
> rob
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>