-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/05/2011 09:54 AM, Sigbjorn Lie wrote: >> >> On 04/05/2011 08:16 AM, Sigbjorn Lie wrote: >> >>>> >>>> On 04/04/2011 05:17 PM, Sigbjorn Lie wrote: >>>> >>>> >>>>> The first dig is taken on the ipa server, using it's own IPA configured >>>>> test DNS. However I have a F14 client successfully connected using my >>>>> prod DNS (my DHCP >>>>> default). Prod DNS is serving the same _ldap._tcp >>>>> records for the same IPA server. My prod dns is serving TTL 1 second for >>>>> the same records. >>>>> >>>>> I presume what happened was that I started the SSSD on the IPA server >>>>> while it was still being served by the PROD dns. Then I changed the >>>>> nameserver entries >>>>> after. >>>>> >>>>> What gets to me is that I've used the prod DNS setup for testing with >>>>> F14 for months now, without any issue. This first became an issue when I >>>>> reinstalled the IPA server with RHEL 6.1 beta. >>>>> >>>>> Was that really it? Too low TTL on the DNS entries? >>>>> >>>>> >>>>> >>>> >>>> >>>> If I remember correctly, the change that added _srv_ by default to >>>> sssd.conf went in during one of the later release candidates for FreeIPA. >>>> So it's likely that >>>> for most of your time testing it, you only had the explicit server address >>>> in the config file. >>>> >>>> >>>> I do encourage you to keep the _srv_ entry, as it really does make life >>>> a lot easier later on (if you want to add a replica or move the FreeIPA >>>> server) since you only >>>> have to update DNS instead of every client. >>>> >>> >>> I see your point. I'll increase the TTL of my production zone and see what >>> happends then. What >>> do you think of having only the _srv_ entry, no named hosts at all in >>> sssd.conf ? >> >> >> The reason the install script sets one named host is just to be extra >> cautious. If DNS is not resolving for some reason (BIND crashed, or someone >> accidentally blocked >> port 53, etc.) then SSSD will still attempt to reach the named host before >> giving up and going >> offline. >> >> It's not strictly necessary, but neither should it ever be harmful. >> Obviously if DNS is resolving correctly at all times the named host will >> never be used. >> > > > Ok. I see. > > Why is the _srv_ records not used in the domain/default as well? And what > exactly is the > difference between domain/ix.nixtra.com and domain/default?
[domain/default] is not in use. It's put there by authconfig (which we use to bootstrap the SSSD setup process) but we disable that domain. Only domains listed in the domains = <domain1>, <domain2>, ... line of the [sssd] section are active. We leave it in there to be a good citizen (in case it actually was configured previously). That way we don't wipe out any settings that the user may have had in it. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2bIJIACgkQeiVVYja6o6NR6ACdFp0PHQ3vz4G+KC850mn2+fL2 QaUAnA6W3hfNokCtOqlwTpriZfN/yK1n =kDvn -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
