lejeczek via FreeIPA-users wrote: > > > On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote: >> On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote: >>> Hi, >>> I am currently trying to cleanup our IPA installation and saw that >>> all our >>> clients only got a single server configured, which doesn't sound good. >>> (we've currently got two IPA servers). >>> >>> Is there some sort of record that can be used? >> >> Look into man page for 'ipa' tool: >> >> SERVERS >> The ipa client will determine which server to connect to in >> this order: >> >> 1. The server configured in /etc/ipa/default.conf in the >> xmlrpc_uri directive. >> >> 2. An unordered list of servers from the ldap DNS SRV records. >> >> If a kerberos error is raised by any of the requests then it >> will stop processing and display the error message. >> >> > But is that really a problem, and if not, when could that be a problem? > I see all my clients end up with only single server in config files - > the which client hooked to at the installation time - is that not how it > should be?
It is only a potential problem if you don't use DNS discovery and that server goes away. In /etc/ipa/default.conf the server value is deprecated. The value of xmlrpc_uri is used to determine the API endpoint of an IPA server. This mostly affects the IPA tools and certmonger, all of which try DNS discovery first. There is no way to specify multiple servers in /etc/ipa/default.conf. So the worse case scenario is you don't use DNS discovery and a server goes away permanently never to be re-created. Any client with that hardcoded server value won't be able to use certmonger or IPA tools like ipa-certupdate, ipa, etc. Similarly SSSD is by default configured with: ipa_server = _srv_, ipa.example.test So if there is no DNS discovery and that one server dies, you're done until you restore the server or change the value (SSSD caching can mitigate this to some extent, it will be treated as offline). Going into your clients to evenly divide them between the two servers could save you some work if one went down forever but relying on DNS discovery to find servers is recommended and preferred. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
