Thanks for such quick response.

Nice to know that it's "broken by current design".
Now I can sleep calm.

I'm interested if such initial setup against "wrong" IPA server can have
some negative side effects?
1. Like client in "DC1" will first ask try ask IPA in "AWS"
2. If we loose connection between DC1 and AWS - client in DC1 will "lose
his mind"

In simple words:
I want to make sure that IPA server chosen during install want be evolved
in further life-cycle of client host
Of course i'm not talking about disaster failover case, usual operations
when proper IPA is healthy and reachable

Thanks

On Thu, Jun 22, 2017 at 12:00 PM, Martin Bašti <mba...@redhat.com> wrote:

>
>
> On 22.06.2017 09:45, Denis Iskandarov via FreeIPA-users wrote:
>
> Hello,
>
> I have two datacenters. One is self hosted so all the docs are working
> just fine. The second one is AWS.
>  I've managed to setup replica between "static" DC , "DC1", and AWS
> "cloud" DC with all its problems.
> There are still issues to solve within AWS.
> But "static" which has Bind name servers is not working properly.
>
> Client hosts are using my external DNSs, with proper zone delegation to
> IPA.
> And are slaves of zone delegated to FreeIPA - so they do receive all
> updates from IPA.
> Default TTL lowered to 5min.
>
> Configured IPA locations.
>
> During install ipa-client-install in "DC1" chooses wrong IPA server, one
> dedicated for AWS.
> And because of our security policies clients are not allowed to
> communicate with AWS IPA - so installation completely fails.
> At some point randomly of course it chooses correct IPA server.
>
> dig on every host in network shows correct priorities and weights.
>
> Below I will paste related configs outputs:
>
> ; auth.tld zone delegation
>> auth.tld.                       IN      NS      ipa.auth.tld.
>> auth.tld.                       IN      NS      dns1.tld.
>> ipa.auth.tld.                 IN      A       10.200.10.9
>> ipa-aws.auth.tld.          IN      A       10.70.83.86
>
>
>  on client host, and every other dig looks like:
>
>> # dig +short _ldap._tcp.auth.tld SRV
>> _ldap._tcp.dc1._locations.auth.tld.
>> 0 100 389 ipa.auth.tld.
>> 50 100 389 ipa-aws.auth.tld.
>
>
> or putting servers on different positions but still with correct
> priorities:
>
>> dig +short _ldap._tcp.auth.tld SRV
>> _ldap._tcp.dc1._locations.auth.tld.
>> 50 100 389 ipa-aws.auth.tld.
>> 0 100 389 ipa.auth.tld.
>
>
>  [root@client-001 ~]# /usr/sbin/ipa-client-install --domain='auth.tld'
>> --principal='hostreg' --password='xxxxxxx' --mkhomedir --no-sshd --no-ntp
>> Discovery was successful!
>> Client hostname: client-001.dmz.dc1.tld
>> Realm: AUTH.tld
>> DNS Domain: auth.tld
>> IPA Server: ipa-aws.auth.tld
>> BaseDN: dc=auth,dc=tld
>> Continue to configure the system with these values? [no]: no
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>
>
> I don't understand, why if dig shows correct priorities information,
> ipa-client-install is choosing wrong server.
> Looks like ipa-client install not treating priorities and is choosing
> first ipa server from dig list.
>
> Can't find out what I'm missing
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> Hello, ipa-client-install and IPA CLI doesn't respect priorities so server
> is really chosen randomly. ipa-client-install will be fixed in 4.6 to
> support SRV priorities.
>
> SSSD on client however support priorities, so after successful
> installation SSSD will choose correct servers.
>
> Sorry.
>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to