On Mon, Feb 10, 2025 at 2:29 PM Florence Blanc-Renaud via FreeIPA-users < [email protected]> wrote: > > Hi, > > As a side-note, please keep the mailing list in the recipients list. > > On Mon, Feb 10, 2025 at 5:40 PM azeem <[email protected]> wrote: >> >> Hi Florence, >> >> Thanks for the response. >> >> Yes, I have added the new FreeIPA server's hostname in the /etc/hosts file, and when I add the new FreeIPA server's IP to /etc/resolv.conf, the client is able to discover the new FreeIPA server. However, do I need to manually add the new FreeIPA server IP in the /etc/resolv.conf file every time I set up a new client? I thought the command: >> >> ipa-client-install --hostname=$(hostname -f) --mkhomedir --server= newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=IPA.TESTING.COM >> would automatically discover the FreeIPA server without needing to manually add it to the /etc/resolv.conf file. > > > Please read the "Autodiscovery" section of the man page for ipa-client-install. Autodiscovery means that the installer finds the right server based on its own domain and the DNS records for _ldap._tcp.$DOMAIN or _ldap._tcp.$PARENTDOMAIN etc... > The client must be properly configured for DNS otherwise it won't find any SRV record for _ldap._tcp.$DOMAIN. > > As Rafael pointed out, if you use ansible to automate the client installation, it is possible to have ansible-freeipa automate the DNS setup for you. If you are using the command-line, the DNS configuration is a prerequisite. > > Hope this clarifies, > flo >> >> >> Also, when I run this command on the client, before adding the new FreeIPA server IP to /etc/resolv.conf: >> >> dig _ldap._tcp.ipa.clear-markets.com SRV >>
I'll focus on this line: >> It lists the old FreeIPA servers instead of the new one. This is where I’m stuck – it seems like auto-discovery isn’t working unless I explicitly add the new FreeIPA server's IP in /etc/resolv.conf. Yes, you need to explicitly set the correct server as nameserver, or autodiscovery will find the other servers (or none at all). Note that if you are using Network Manager or systemd-resolved, /etc/resolv.conf may be overwritten before you have a chance to do the installation, that's why you need to properly configure the nameserver (and why I suggested ansible-freeipa which takes care of these cases). Rafael >> >> >> On Mon, Feb 10, 2025 at 5:36 AM Florence Blanc-Renaud <[email protected]> wrote: >>> >>> Hi, >>> >>> do your clients use the new IPA server as DNS server? This can be done prior to calling ipa-client-install. >>> flo >>> >>> On Fri, Feb 7, 2025 at 5:01 PM azeem via FreeIPA-users < [email protected]> wrote: >>>> >>>> Hello All, >>>> >>>> I have two FreeIPA servers running in AWS—one primary and one replica—with the DNS entry ipa.testing.com. These servers are running an older version of FreeIPA on CentOS 7 with expired certificates. I inherited this setup from a previous admin. >>>> >>>> Since the certificates have expired, I attempted multiple renewal methods, including rolling back the system time, but nothing worked. As a solution, I set up a new FreeIPA primary server with the same DNS entry ( ipa.testing.com) and added it to the AWS DHCP configuration alongside the old servers. >>>> >>>> Steps Taken: >>>> >>>> Added the new FreeIPA server to the /etc/hosts 123.234.543 test.ipa.testing.com test >>>> >>>> Installed FreeIPA using the following command:- ipa-server-install --setup-dns --allow-zone-overlap >>>> >>>> The installation completed successfully. I can log into the UI, create users, and manage configurations without issues. >>>> >>>> The Problem: >>>> >>>> When installing a FreeIPA client, it does not auto-discover the new FreeIPA server unless I explicitly specify it in the command: >>>> >>>> ipa-client-install --hostname=$(hostname -f) --mkhomedir --server= newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=IPA.TESTING.COM >>>> >>>> Without the --server parameter, auto-discovery fails. >>>> >>>> Additionally, after successfully enrolling two clients (client-a and client-b), I am unable to resolve their hostnames between them. When I attempt to ping client-a from client-b, I receive: >>>> >>>> Name or service not known >>>> >>>> What am I missing? >>>> >>>> Why isn’t the client auto-discovering the new FreeIPA server? >>>> >>>> Why can’t the clients resolve each other’s hostnames after enrollment? >>>> >>>> Is there anything I need to adjust in DNS or DHCP to ensure proper resolution and discovery? >>>> >>>> Any help would be greatly appreciated! Thanks in advance. >>>> >>>> -- >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: https://lists.fedorahosted.org/archives/list/[email protected] >>>> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
