On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote:
Yes the client was installed not using the —server option. So it looks
like my issue is DNS. We have DNS external to the IPA hosts. Is there
a simple way for me to get a list of all the DNS records that need to be
added to our DNS system from IPA?
Yes, please see my 2nd link that mentions ipa dns-update-system-records
--dry-run:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external
flo
Louis
-<<—->>-
Louis Bohm
[email protected] <mailto:[email protected]>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
On Aug 12, 2020, at 5:02 AM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote:
Environment:
2 IPA Masters running Centos 8 and IPA Server 4.8.0.13
Client running Lentos 8 and IPA Client 4.8.0.13
The masters were setup as MultiMasters (I think I have it correct).
If I shutdown the first master (ipa01) so only ipa02 is running then
try to login to the client I cannot. Found I needed to add both hosts
to the IPA_server line in the SSSD.conf under the domain section to
make that work.
Now if I try to add a user via the command line on the client I get
the following error:
ipa: ERROR: cannot connect to
'https://ipa01.bos1.domain.com/ipa/json': [Errno 113] No route to host
Do I need to list both IPA servers some where else? If so where? I
did try adding both IPA servers on the URL line of openldap.conf
(only ipa01 was listed).
Hi,
you can find more information in "Failover, Load balancing and High
Availability in IdM" [1]
On the client-side, it depends on how the client was installed. If DNS
auto-discovery was used (no --server option provided), then sssd.conf
should contain the keyword _srv_ in the list of configured servers
(ipa_server= _srv_, ...). In this case, SSSD is using the DNS to find
the appropriate server, please see sssd-ipa man page, especially the
SERVICE DISCOVERY section.
This requires the client to use a proper DNS server. If the DNS is
provided by the IPA servers, make sure that /etc/resolv.conf on the
client contains ipa01 and ipa02 (otherwise when ipa01 is down, the
client won't be able to use the DNS). If the DNS is external, make
sure that it contains the proper records as explained in "Updating DNS
records systematically when using external DNS" [2]
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external
Louis
-<<—->>-
Louis Bohm
[email protected] <mailto:[email protected]>
<mailto:[email protected]>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
