-----BEGIN PGP SIGNED MESSAGE-----
On 04/04/2011 03:52 PM, Sigbjorn Lie wrote:
> On 04/04/2011 09:36 PM, Stephen Gallagher wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On 04/04/2011 03:06 PM, Dmitri Pal wrote:
>>> On 04/04/2011 03:01 PM, Sigbjorn Lie wrote:
>>>> I also noticed that in /etc/sssd/sssd.conf the ipa server is specified
>>>> ipa_server = _srv_, ipa01.ix.test.com
>>>> sssd doesn't resolve anything from IPA until I remove "_srv_,"
>>> Stephen, was there a recent bug on this matter in SSSD?
>> The purpose of _srv_ is to check DNS for IPA server addresses first. The
>> idea is that if you have more than one IPA server in service, then you
>> can use DNS to list all of them. Otherwise, the ipa-client-install can
>> only specify a static list of servers at the time of install. This would
>> mean that if the IPA servers changed IP addresses or new ones entered
>> production, it would be necessary to change all of the client
>> configuration files.
>> I'm puzzled why you would need to remove this, unless your DNS server is
>> returning something other than FreeIPA servers for a SRV request
>> directed at _ldap.tcp
> I have verfied that the _ldap._tcp is resolving correctly. DNS was set
> up using "ipa-server-install --setup-dns". I discovered this at the IPA
> server. This is a newly installed IPA server at RH 6.1 beta installed a
> few hours ago. No IP addresses changed.
> # host -t srv _ldap._tcp
> _ldap._tcp.ix.test.com has SRV record 0 100 389 ipa01.ix.test.com.
Is the domain part of the client machine also ix.test.com?
The way we determine which SRV record to use is as follows:
1) If dns_discovery_domain exists in the config file, it is always used.
2) If not, first try the domain part of the machine's hostname (aka
3) If that fails, try the name of the SSSD domain (in sssd.conf
IIRC ipa-client-install should set [domain/<IPA domain name>] so if
that's not the same as your DNS domain, we could be having problems.
Can we see your sssd.conf please? (feel free to sanitize as needed)
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Freeipa-users mailing list