On Thu, Aug 04, 2016 at 12:28:33PM +0200, Petr Vobornik wrote: > On 08/04/2016 11:48 AM, Keller, Mario wrote: > > Hello, > > > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > > also working. > > > > #ipa-replica-manage list > > Directory Manager password: > > > > s-fcbg-ipa2.ipa.cornelsen.de: master > > s-onli-ipa1.ipa.cornelsen.de: master > > > > Both servers running ipa-server-4.2 : > > > > rpm -qa | grep ipa-server > > ipa-server-dns-4.2.0-15.el7_2.17.x86_64 > > ipa-server-4.2.0-15.el7_2.17.x86_64 > > > > I have also a client installed running also version 4.2 > > > > ipa-client-4.2.0-15.el7_2.17.x86_64 > > > > The client and the first server are in the same subnet, while server 2 is > > in a different subnet. > > All ports that are required are open for server 1 to server 2 and also for > > the client to server two. > > > > I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. > > the subdomain is forwarded by out general dns-server to both ipa-servers. > > > > If I switch server 1 off I would expect that the client is using the second > > server to check access and sudo rights, but that's not the case. If I > > create a new user on the ipa-server and then switch off the first server, > > the user cannot login to the client. If I switch on server 1 again, the > > user can login. > > > > The official documentation says: > > > > " There can be multiple servers and replicas within the IdM server > > topology. When a client needs to connect to a server for updates or to > > retrieve user information, it (by default) uses a service scan to discover > > available servers and replicas in the domain. This means that the actual > > server to which the client connects is random, depending on the results of > > the discovery scan." > > > > But there's no information how this scan is done. > > > > I have to provide the server and the domain during the client installation. > > But regarding to the documentation, the server can by any server or replica > > in my topology. This server is saved also in the > > /etc/ipa/default.conf > > > > How is the service scan working and is there a way to manually check what > > the service-check is returning? > > > > With best regards, > > > > Mario Keller > > IT-Operations Engineer > > > > Hello, > > With what options were the clients installed? > > Autodiscovery works only if the client is installed also with > autodiscover. That means that if ipa-client-install is run with --server > option then autodiscovery is not used. This is documented in > ipa-client-install man page.
Yes, we need to know how the clients were installed and how the sssd.conf on the clients looks like. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project