Hi Rob,
Thanks for the info! Sorry I wasn't clear. Here's some more info about what
is happening on my end so that we can verify it's what is actually supposed
to happen.
The command that is being ran to bind these nodes to the domain is:
ipa-client-install --force-join --no-nisdomain --domain=<removed> -U -p
<enrollment username> -w <enrollment password>
What I expected to happen: Since I did not pass any fixed servers, the
client will depend solely on the SRV records to autodiscover and configure.
What happens: It *does* auto discover and configure, but also places an
actual server hostname on the ipa_server line as well.
The downside (if it actually is one?): As a result of this, when I run
sssctl domain-status, the server that is listed under ipa_server gets shown
twice in the domain status output. Example:
[root@rdhpc-n1 xcatpost]# sssctl domain-status <removed>
Online status: Online
Active servers:
IPA: freeipa2.<removed>
Discovered IPA servers:
- freeipa2.<removed>
- freeipa.<removed>
*- freeipa3.*<removed>
*- freeipa3.*<removed>
Here's what my sssd.conf looks like after the above ipa-client-install is
ran. Note the existence of both "_srv_" and "freeipa3" on the
ipa_server
line:
[domain/<removed>l]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = <removed>
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = rdhpc-n1.nxcluster
chpass_provider = ipa
*ipa_server = _srv_, freeipa3.<removed>*
dns_discovery_domain = <removed>
autofs_provider = ipa
ipa_automount_location = default
[sssd]
services = nss, sudo, pam, autofs, ssh
domains = <removed>
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
[session_recording]
On Tue, Jan 28, 2020 at 1:22 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Russell Jones via FreeIPA-users wrote:
> I'm running "ipa-client-install --force-join --no-nisdomain -U", and
it
> auto discovers my freeipa servers, but places both _srv_ and the first
> server under the "ipa_server" line. This results in the first server
> being listed twice when running "sssctl domain-status".
I think you need to be clearer about what you're seeing.
> Is this expected behavior? Is this behavior that I actually want?
>
>
> Just trying to understand better. Thank you for any insight!
It very well could be a bug in sssd but _srv_ is included so sssd can
fall back to other servers discovered using SRV records if the listed
master(s) are not reachable.
rob