On 06/04/2022 16:50, Rob Crittenden wrote:
lejeczek via FreeIPA-users wrote:
On 30/03/2022 09:19, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 30 maalis 2022, Boris Behrens via FreeIPA-users wrote:
Hi,
I am currently trying to cleanup our IPA installation and saw that
all our
clients only got a single server configured, which doesn't sound good.
(we've currently got two IPA servers).
Is there some sort of record that can be used?
Look into man page for 'ipa' tool:
SERVERS
The ipa client will determine which server to connect to in
this order:
1. The server configured in /etc/ipa/default.conf in the
xmlrpc_uri directive.
2. An unordered list of servers from the ldap DNS SRV records.
If a kerberos error is raised by any of the requests then it
will stop processing and display the error message.
But is that really a problem, and if not, when could that be a problem?
I see all my clients end up with only single server in config files -
the which client hooked to at the installation time - is that not how it
should be?
It is only a potential problem if you don't use DNS discovery and that
server goes away.
In /etc/ipa/default.conf the server value is deprecated. The value of
xmlrpc_uri is used to determine the API endpoint of an IPA server.
This mostly affects the IPA tools and certmonger, all of which try DNS
discovery first.
There is no way to specify multiple servers in /etc/ipa/default.conf.
So the worse case scenario is you don't use DNS discovery and a server
goes away permanently never to be re-created. Any client with that
hardcoded server value won't be able to use certmonger or IPA tools like
ipa-certupdate, ipa, etc.
Similarly SSSD is by default configured with: ipa_server = _srv_,
ipa.example.test
So if there is no DNS discovery and that one server dies, you're done
until you restore the server or change the value (SSSD caching can
mitigate this to some extent, it will be treated as offline).
Going into your clients to evenly divide them between the two servers
could save you some work if one went down forever but relying on DNS
discovery to find servers is recommended and preferred.
rob
How about bit "twisted" way of having things run, when only
one - for whatever imaginary reason - server is available to
clients. Not at all times but at a given time, say... today
it's masterA but tomorrow will be masterB
That would brakes some clients some times, correct?
And if so - would IPA be okay with a primitive remedy such
as 'xmlrpc_uri' pointing to a URI/record with a
non-existing/not actual host's hostname (still IPA server)?
which would be always accessible to all clients?
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
