On 08/04/2016 11:48 AM, Keller, Mario wrote: > Hello, > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > also working. > > #ipa-replica-manage list > Directory Manager password: > > s-fcbg-ipa2.ipa.cornelsen.de: master > s-onli-ipa1.ipa.cornelsen.de: master > > Both servers running ipa-server-4.2 : > > rpm -qa | grep ipa-server > ipa-server-dns-4.2.0-15.el7_2.17.x86_64 > ipa-server-4.2.0-15.el7_2.17.x86_64 > > I have also a client installed running also version 4.2 > > ipa-client-4.2.0-15.el7_2.17.x86_64 > > The client and the first server are in the same subnet, while server 2 is in > a different subnet. > All ports that are required are open for server 1 to server 2 and also for > the client to server two. > > I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. the > subdomain is forwarded by out general dns-server to both ipa-servers. > > If I switch server 1 off I would expect that the client is using the second > server to check access and sudo rights, but that's not the case. If I create > a new user on the ipa-server and then switch off the first server, the user > cannot login to the client. If I switch on server 1 again, the user can > login. > > The official documentation says: > > " There can be multiple servers and replicas within the IdM server topology. > When a client needs to connect to a server for updates or to retrieve user > information, it (by default) uses a service scan to discover available > servers and replicas in the domain. This means that the actual server to > which the client connects is random, depending on the results of the > discovery scan." > > But there's no information how this scan is done. > > I have to provide the server and the domain during the client installation. > But regarding to the documentation, the server can by any server or replica > in my topology. This server is saved also in the > /etc/ipa/default.conf > > How is the service scan working and is there a way to manually check what the > service-check is returning? > > With best regards, > > Mario Keller > IT-Operations Engineer >
Hello, With what options were the clients installed? Autodiscovery works only if the client is installed also with autodiscover. That means that if ipa-client-install is run with --server option then autodiscovery is not used. This is documented in ipa-client-install man page. HTH -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project