I think SRV records are only part of the problem.  We are using integrated 
BIND/DNS with our IPA servers and I'm not sure it supports views.  But thanks 
for the suggestion.
I guess we could create custom krb5.conf files in each DC and mange them with 
Puppet, but there are other config files (e.g. resolv.conf and ldap.conf) that 
would need to be managed too.  Maybe there are some other IPA client config 
files that setup static mappings during the join process.  Anyone know which 
ones to look at? 


  ----- Original Message ----- 
  From: Peter Brown 
  To: Michael ORourke 
  Cc: freeipa-users 
  Sent: Wednesday, March 13, 2013 12:58 AM
  Subject: Re: [Freeipa-users] Realm distrubuted across data centers

  I have no idea if this counts as best practice because I am not affiliated 
with the FreeIPA development team

  I personally think SRV records are probably the best idea in this situation.

  You would have to setup different zones to serve to each datacentre though if 
you know how to do that.

  It's not that tricky with views in bind.

  On 13 March 2013 12:40, Michael ORourke <mrorou...@earthlink.net> wrote:

    We have a single realm distributed across 2 data centers and 2 offices with 
4 replicated IPA servers (2 in each data center).  We are running IPA server 
and client v2.2.0 on all servers and replication appears to be functioning 
correctly.  What I have noticed is that some servers in DC1, have no 
connectivity to the IPA servers in DC2, and when you try connecting to them 
from Office1 you sometimes get a long authentication delay.  I suspect this is 
caused by a timeout waiting for an IPA server in DC2 to respond (which it 
can't).  So I guess my question is, is there a 'best practices' approach to 
this scenario?

    Freeipa-users mailing list

  No virus found in this message.
  Checked by AVG - www.avg.com
  Version: 2013.0.2904 / Virus Database: 2641/6156 - Release Date: 03/08/13
Freeipa-users mailing list

Reply via email to