Yes the client was installed not using the —server option. So it looks like my issue is DNS. We have DNS external to the IPA hosts. Is there a simple way for me to get a list of all the DNS records that need to be added to our DNS system from IPA?
Louis -<<—->>- Louis Bohm [email protected] <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> > On Aug 12, 2020, at 5:02 AM, Florence Blanc-Renaud <[email protected]> wrote: > > On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote: >> Environment: >> 2 IPA Masters running Centos 8 and IPA Server 4.8.0.13 >> Client running Lentos 8 and IPA Client 4.8.0.13 >> The masters were setup as MultiMasters (I think I have it correct). >> If I shutdown the first master (ipa01) so only ipa02 is running then try to >> login to the client I cannot. Found I needed to add both hosts to the >> IPA_server line in the SSSD.conf under the domain section to make that work. >> Now if I try to add a user via the command line on the client I get the >> following error: >> ipa: ERROR: cannot connect to 'https://ipa01.bos1.domain.com/ipa/json': >> [Errno 113] No route to host >> Do I need to list both IPA servers some where else? If so where? I did try >> adding both IPA servers on the URL line of openldap.conf (only ipa01 was >> listed). > Hi, > > you can find more information in "Failover, Load balancing and High > Availability in IdM" [1] > > On the client-side, it depends on how the client was installed. If DNS > auto-discovery was used (no --server option provided), then sssd.conf should > contain the keyword _srv_ in the list of configured servers (ipa_server= > _srv_, ...). In this case, SSSD is using the DNS to find the appropriate > server, please see sssd-ipa man page, especially the SERVICE DISCOVERY > section. > > This requires the client to use a proper DNS server. If the DNS is provided > by the IPA servers, make sure that /etc/resolv.conf on the client contains > ipa01 and ipa02 (otherwise when ipa01 is down, the client won't be able to > use the DNS). If the DNS is external, make sure that it contains the proper > records as explained in "Updating DNS records systematically when using > external DNS" [2] > > HTH, > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing > > [2] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external >> Louis >> -<<—->>- >> Louis Bohm >> [email protected] <mailto:[email protected]> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
