On ti, 13 huhti 2021, John Desantis via FreeIPA-users wrote:
Hello all!
I've just perused the list and seem to have found a single entry where
an IPA master/replica is configured with the following items:
1.) ipa_server_mode = true
2.) ipa_server = master, replica1, replica2
Is it recommended to have all IPA servers listed in the server's
sssd.conf? For example:
# master
ipa_server = master.domain, replica.domain
ipa_server_mode = true
# replica
ipa_server = replica.domain, master.domain
ipa_server_mode = true
The idea is that `sssctl domain-status` would return all possible IPA
servers on the server itself, vs. just itself.
IPA servers should only have themselves in the 'ipa_server' option when
'ipa_Server_mode = true'. It should either work or fail as a whole unit
as a domain controller.
This is documented in sssd-ipa(5) manual page:
ipa_server_mode (boolean)
This option will be set by the IPA installer
(ipa-server-install) automatically and denotes if SSSD is
running on an IPA server or not.
On an IPA server SSSD will lookup users and groups from
trusted domains directly while on a client it will ask an IPA
server.
NOTE: There are currently some assumptions that must be met
when SSSD is running on an IPA server.
• The “ipa_server” option must be configured to point to
the IPA server itself. This is already the default set by the
IPA installer, so no manual change is required.
• The “full_name_format” option must not be tweaked to only
print short names for users from trusted domains.
Default: false
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland