Craig White wrote: > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of *Andrew Holway > *Sent:* Wednesday, March 18, 2015 9:40 AM > *To:* [email protected] > *Subject:* [Freeipa-users] SSSD in redundant configuration > > > > Hello, > > > > Im wondering how we should be handing SSSD for redundant configurations > on our freeipa clients. We have three freeipa servers; how can we make > SSSD check another freeipa in the event that one goes down? > > > > It appears we can do something like the following: > > > > ipa_hostname = test-freeipa-client-1.cloud.domain.de > <http://test-freeipa-client-1.cloud.domain.de>, > test-freeipa-client-2.cloud.domain.de > <http://test-freeipa-client-2.cloud.domain.de>, > test-freeipa-client-3.cloud.domain.de > <http://test-freeipa-client-3.cloud.domain.de> > > > > However I thought SRV records were meant to supply the magic here? > > > > Thanks, > > > > Andrew > > > > > > /etc/sssd/sssd.conf > > [domain/cloud.domain.de <http://cloud.domain.de>] > > cache_credentials = True > > krb5_store_password_if_offline = True > > ipa_domain = cloud.domain.de <http://cloud.domain.de> > > id_provider = ipa > > auth_provider = ipa > > access_provider = ipa > > ipa_hostname = test-freeipa-client-2.cloud.domain.de > <http://test-freeipa-client-2.cloud.domain.de> > > chpass_provider = ipa > > ipa_dyndns_update = True > > ipa_server = _srv_, test-freeipa-2.cloud.domain.de > <http://test-freeipa-2.cloud.domain.de> > > ldap_tls_cacert = /etc/ipa/ca.crt > > # For the SUDO integration > > sudo_provider = ldap > > ldap_uri = ldap://test-freeipa-1.cloud.domain.de > <http://test-freeipa-1.cloud.domain.de> > > ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de > > ldap_sasl_mech = GSSAPI > > ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de > <http://test-freeipa-client-2.cloud.domain.de> > > ldap_sasl_realm = CLOUD.DOMAIN.DE <http://CLOUD.DOMAIN.DE> > > krb5_server = test-freeipa-2.cloud.domain.de > <http://test-freeipa-2.cloud.domain.de> > > [sssd] > > services = nss, pam, ssh, sudo > > config_file_version = 2 > > domains = cloud.domain.de <http://cloud.domain.de> > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > I think the magic you are looking for is in /etc/sssd/sssd.conf where > you have > > ipa_server = _srv_, test-freeipa-2.cloud.domain.de > <http://test-freeipa-2.cloud.domain.de> > > and all you need is > > ipa_server = _srv_
_srv_ tells SSSD to check DNS for SRV records. The trailing server gives it a hardcoded fallback in case DNS fails for some reason. Their current configuration is correct. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
