On 13.3.2013 14:28, Rob Crittenden wrote:
Michael ORourke wrote:
I think SRV records are only part of the problem.  We are using
integrated BIND/DNS with our IPA servers and I'm not sure it supports
views.  But thanks for the suggestion.
I guess we could create custom krb5.conf files in each DC and mange them
with Puppet, but there are other config files (e.g. resolv.conf and
ldap.conf) that would need to be managed too.  Maybe there are some
other IPA client config files that setup static mappings during the join
process.  Anyone know which ones to look at?

No, we don't support views yet.
Views are not supported in IPA admin tools, but generally views can be configured with some hacking around. The price for that is losing IPA admin tools for DNS and generally, it is ugly and hard to maintain. I wouldn't recommend that.

Our latest & greatest proposal for location auto-discovery in summarized at http://www.freeipa.org/page/V3/DNS_Location_Mechanism . Any comments are welcome!

In your case with only 2 locations and 2 IPA servers in each location, it is relatively simple to prepare two sets of hand-crafted DNS records site1._locations.ipa.example.com and site2._locations.ipa.example.com and configure clients on each site to use these two "domains" (site1 and site2) according to their real network location.

Disadvantages of hand-made records:
- It can't handle mobile clients (i.e. travelling between 'sites').
- 'Domain' configured in SSSD has to be reconfigured on each client.

Let me know if you want to go this way. (It should work with any IPA/DNS 

Petr^2 Spacek

You'd also need a custom sssd.conf as well.

We support this kind of configuration in 3.x. Using multiple --server and
--fixed-primary options of ipa-client-install you can add multiple, hardcoded
servers and still have failover. Basically you configure things to ignore the
SRV records, so you shouldn't have to mess with the resolver at all.


    ----- Original Message -----
    *From:* Peter Brown <mailto:rendhal...@gmail.com>
    *To:* Michael ORourke <mailto:mrorou...@earthlink.net>
    *Cc:* freeipa-users <mailto:freeipa-users@redhat.com>
    *Sent:* Wednesday, March 13, 2013 12:58 AM
    *Subject:* Re: [Freeipa-users] Realm distrubuted across data centers

    I have no idea if this counts as best practice because I am not
    affiliated with the FreeIPA development team

    I personally think SRV records are probably the best idea in this
    You would have to setup different zones to serve to each datacentre
    though if you know how to do that.
    It's not that tricky with views in bind.

    On 13 March 2013 12:40, Michael ORourke <mrorou...@earthlink.net
    <mailto:mrorou...@earthlink.net>> wrote:

        We have a single realm distributed across 2 data centers and 2
        offices with 4 replicated IPA servers (2 in each data center).
          We are running IPA server and client v2.2.0 on all servers and
        replication appears to be functioning correctly.  What I have
        noticed is that some servers in DC1, have no connectivity to the
        IPA servers in DC2, and when you try connecting to them from
        Office1 you sometimes get a long authentication delay.  I
        suspect this is caused by a timeout waiting for an IPA server in
        DC2 to respond (which it can't).  So I guess my question is, is
        there a 'best practices' approach to this scenario?

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to