On 13.3.2013 14:28, Rob Crittenden wrote:
Views are not supported in IPA admin tools, but generally views can be
configured with some hacking around. The price for that is losing IPA admin
tools for DNS and generally, it is ugly and hard to maintain. I wouldn't
Michael ORourke wrote:
I think SRV records are only part of the problem. We are using
integrated BIND/DNS with our IPA servers and I'm not sure it supports
views. But thanks for the suggestion.
I guess we could create custom krb5.conf files in each DC and mange them
with Puppet, but there are other config files (e.g. resolv.conf and
ldap.conf) that would need to be managed too. Maybe there are some
other IPA client config files that setup static mappings during the join
process. Anyone know which ones to look at?
No, we don't support views yet.
Our latest & greatest proposal for location auto-discovery in summarized at
http://www.freeipa.org/page/V3/DNS_Location_Mechanism . Any comments are welcome!
In your case with only 2 locations and 2 IPA servers in each location, it is
relatively simple to prepare two sets of hand-crafted DNS records
site1._locations.ipa.example.com and site2._locations.ipa.example.com and
configure clients on each site to use these two "domains" (site1 and site2)
according to their real network location.
Disadvantages of hand-made records:
- It can't handle mobile clients (i.e. travelling between 'sites').
- 'Domain' configured in SSSD has to be reconfigured on each client.
Let me know if you want to go this way. (It should work with any IPA/DNS
You'd also need a custom sssd.conf as well.
We support this kind of configuration in 3.x. Using multiple --server and
--fixed-primary options of ipa-client-install you can add multiple, hardcoded
servers and still have failover. Basically you configure things to ignore the
SRV records, so you shouldn't have to mess with the resolver at all.
----- Original Message -----
*From:* Peter Brown <mailto:rendhal...@gmail.com>
*To:* Michael ORourke <mailto:mrorou...@earthlink.net>
*Cc:* freeipa-users <mailto:email@example.com>
*Sent:* Wednesday, March 13, 2013 12:58 AM
*Subject:* Re: [Freeipa-users] Realm distrubuted across data centers
I have no idea if this counts as best practice because I am not
affiliated with the FreeIPA development team
I personally think SRV records are probably the best idea in this
You would have to setup different zones to serve to each datacentre
though if you know how to do that.
It's not that tricky with views in bind.
On 13 March 2013 12:40, Michael ORourke <mrorou...@earthlink.net
We have a single realm distributed across 2 data centers and 2
offices with 4 replicated IPA servers (2 in each data center).
We are running IPA server and client v2.2.0 on all servers and
replication appears to be functioning correctly. What I have
noticed is that some servers in DC1, have no connectivity to the
IPA servers in DC2, and when you try connecting to them from
Office1 you sometimes get a long authentication delay. I
suspect this is caused by a timeout waiting for an IPA server in
DC2 to respond (which it can't). So I guess my question is, is
there a 'best practices' approach to this scenario?
Freeipa-users mailing list