On 08/04/2016 11:48 AM, Keller, Mario wrote:
> Hello,
> I've setup two ipa-servers on RHEL 7 that are up an running. Replication is 
> also working.
> #ipa-replica-manage list
> Directory Manager password: 
> s-fcbg-ipa2.ipa.cornelsen.de: master
> s-onli-ipa1.ipa.cornelsen.de: master
> Both servers running ipa-server-4.2 :
> rpm -qa | grep ipa-server
> ipa-server-dns-4.2.0-15.el7_2.17.x86_64
> ipa-server-4.2.0-15.el7_2.17.x86_64
> I have also a client installed running also version 4.2
> ipa-client-4.2.0-15.el7_2.17.x86_64
> The client and the first server are in the same subnet, while server 2 is in 
> a different subnet. 
> All ports that are required are open for server 1 to server 2 and also for 
> the client to server two.
> I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. the 
> subdomain is forwarded by out general dns-server to both ipa-servers.
> If I switch server 1 off I would expect that the client is using the second 
> server to check access and sudo rights, but that's not the case. If I create 
> a new user on the ipa-server and then switch off the first server, the user 
> cannot login to the client. If I switch on server 1 again, the user can 
> login. 
> The official documentation says: 
> " There can be multiple servers and replicas within the IdM server topology. 
> When a client needs to connect to a server for updates or to retrieve user 
> information, it (by default) uses a service scan to discover available 
> servers and replicas in the domain. This means that the actual server to 
> which the client connects is random, depending on the results of the 
> discovery scan."
> But there's no information how this scan is done. 
> I have to provide the server and the domain during the client installation. 
> But regarding to the documentation, the server can by any server or replica 
> in my topology. This server is saved also in the
> /etc/ipa/default.conf
> How is the service scan working and is there a way to manually check what the 
> service-check is returning?
> With best regards,
> Mario Keller
> IT-Operations Engineer


With what options were the clients installed?

Autodiscovery works only if the client is installed also with
autodiscover. That means that if ipa-client-install is run with --server
option then autodiscovery is not used. This is documented in
ipa-client-install man page.

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to