Cool stuff. Thanks. I had a look at our SRV records and found the following: _kerberos-master._tcp _kerberos-master._udp _kerberos._tcp _kerberos._udp _kpasswd._tcp _kpasswd._udp _ldap._tcp _ntp._udp
No mention of and ipa srv records. Does sssd use _ldap._tcp? Thanks, Andrew On 18 March 2015 at 18:11, Rob Crittenden <[email protected] <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > Craig White wrote: > > *From:*[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');> > > [mailto:[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>] *On > Behalf Of *Andrew Holway > > *Sent:* Wednesday, March 18, 2015 9:40 AM > > *To:* [email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');> > > *Subject:* [Freeipa-users] SSSD in redundant configuration > > > > > > > > Hello, > > > > > > > > Im wondering how we should be handing SSSD for redundant configurations > > on our freeipa clients. We have three freeipa servers; how can we make > > SSSD check another freeipa in the event that one goes down? > > > > > > > > It appears we can do something like the following: > > > > > > > > ipa_hostname = test-freeipa-client-1.cloud.domain.de > > <http://test-freeipa-client-1.cloud.domain.de>, > > test-freeipa-client-2.cloud.domain.de > > <http://test-freeipa-client-2.cloud.domain.de>, > > test-freeipa-client-3.cloud.domain.de > > <http://test-freeipa-client-3.cloud.domain.de> > > > > > > > > However I thought SRV records were meant to supply the magic here? > > > > > > > > Thanks, > > > > > > > > Andrew > > > > > > > > > > > > /etc/sssd/sssd.conf > > > > [domain/cloud.domain.de <http://cloud.domain.de>] > > > > cache_credentials = True > > > > krb5_store_password_if_offline = True > > > > ipa_domain = cloud.domain.de <http://cloud.domain.de> > > > > id_provider = ipa > > > > auth_provider = ipa > > > > access_provider = ipa > > > > ipa_hostname = test-freeipa-client-2.cloud.domain.de > > <http://test-freeipa-client-2.cloud.domain.de> > > > > chpass_provider = ipa > > > > ipa_dyndns_update = True > > > > ipa_server = _srv_, test-freeipa-2.cloud.domain.de > > <http://test-freeipa-2.cloud.domain.de> > > > > ldap_tls_cacert = /etc/ipa/ca.crt > > > > # For the SUDO integration > > > > sudo_provider = ldap > > > > ldap_uri = ldap://test-freeipa-1.cloud.domain.de > > <http://test-freeipa-1.cloud.domain.de> > > > > ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de > > > > ldap_sasl_mech = GSSAPI > > > > ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de > > <http://test-freeipa-client-2.cloud.domain.de> > > > > ldap_sasl_realm = CLOUD.DOMAIN.DE <http://CLOUD.DOMAIN.DE> > > > > krb5_server = test-freeipa-2.cloud.domain.de > > <http://test-freeipa-2.cloud.domain.de> > > > > [sssd] > > > > services = nss, pam, ssh, sudo > > > > config_file_version = 2 > > > > domains = cloud.domain.de <http://cloud.domain.de> > > > > [nss] > > > > [pam] > > > > [sudo] > > > > [autofs] > > > > [ssh] > > > > [pac] > > > > I think the magic you are looking for is in /etc/sssd/sssd.conf where > > you have… > > > > ipa_server = _srv_, test-freeipa-2.cloud.domain.de > > <http://test-freeipa-2.cloud.domain.de> > > > > and all you need is… > > > > ipa_server = _srv_ > > _srv_ tells SSSD to check DNS for SRV records. The trailing server gives > it a hardcoded fallback in case DNS fails for some reason. Their current > configuration is correct. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
