On ti, 12 maalis 2019, Callum Smith via FreeIPA-users wrote:
Dear Alexander,
We already have the correct _ldap._tcp.virt.$domain in place, and the
discovery at the start of ipa-client-install is working correctly, it
discovers the correct information and installs based on that:
Discovery was successful!
Client hostname: virt-test.virt.in.bmrc.ox.ac.uk
Realm: IN.BMRC.OX.AC.UK
DNS Domain: virt.in.bmrc.ox.ac.uk
IPA Server: ipa-b.virt.in.bmrc.ox.ac.uk
BaseDN: dc=in,dc=bmrc,dc=ox,dc=ac,dc=uk
But it is further into the process where it goes a bit wrong. I've
attached two files krb5trace and ipaclient-installer.log so that we're
not confusing the previous woes.
The difference is that during install the temporary krb5.conf written pins you
down to a specific IPA master. This is done for the purpose to avoid
replication issues if a different master was chosen at a different stage
of the install process.
Later, the actual krb5.conf written to /etc/krb5.conf does not include
that master because installation options weren't forcing us to stick to
a specific master. At this point selection of the KDCs is left to krb5
library. Actual order of service locator tries is this:
- try locator plugins first
- try krb5.conf profile
- try DNS resolution as a callback
We have nothing in krb5.conf. We also have nothing in sssd.conf so SSSD
locator plugin would give us whatever IPA master it chose. But at the
point of completing ipa-client-installer job SSSD is not yet running so
we end up with DNS resolution.
The only way of solving this is by forcing use of specific servers
during install. E.g. specifying
ipa-client-install --server ipa-a.virt.$domain --server ipa-b.virt.$domain ...
would make sure both servers are added to krb5.conf and to sssd.conf.
Perhaps, this what would work for you?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
