On Thu, Aug 04, 2016 at 12:28:33PM +0200, Petr Vobornik wrote:
> On 08/04/2016 11:48 AM, Keller, Mario wrote:
> > Hello,
> > 
> > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is 
> > also working.
> > 
> > #ipa-replica-manage list
> > Directory Manager password: 
> > 
> > s-fcbg-ipa2.ipa.cornelsen.de: master
> > s-onli-ipa1.ipa.cornelsen.de: master
> > 
> > Both servers running ipa-server-4.2 :
> > 
> > rpm -qa | grep ipa-server
> > ipa-server-dns-4.2.0-15.el7_2.17.x86_64
> > ipa-server-4.2.0-15.el7_2.17.x86_64
> > 
> > I have also a client installed running also version 4.2
> > 
> > ipa-client-4.2.0-15.el7_2.17.x86_64
> > 
> > The client and the first server are in the same subnet, while server 2 is 
> > in a different subnet. 
> > All ports that are required are open for server 1 to server 2 and also for 
> > the client to server two.
> > 
> > I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. 
> > the subdomain is forwarded by out general dns-server to both ipa-servers.
> > 
> > If I switch server 1 off I would expect that the client is using the second 
> > server to check access and sudo rights, but that's not the case. If I 
> > create a new user on the ipa-server and then switch off the first server, 
> > the user cannot login to the client. If I switch on server 1 again, the 
> > user can login. 
> > 
> > The official documentation says: 
> > 
> > " There can be multiple servers and replicas within the IdM server 
> > topology. When a client needs to connect to a server for updates or to 
> > retrieve user information, it (by default) uses a service scan to discover 
> > available servers and replicas in the domain. This means that the actual 
> > server to which the client connects is random, depending on the results of 
> > the discovery scan."
> > 
> > But there's no information how this scan is done. 
> > 
> > I have to provide the server and the domain during the client installation. 
> > But regarding to the documentation, the server can by any server or replica 
> > in my topology. This server is saved also in the
> > /etc/ipa/default.conf
> > 
> > How is the service scan working and is there a way to manually check what 
> > the service-check is returning?
> > 
> > With best regards,
> > 
> > Mario Keller
> > IT-Operations Engineer
> >  
> 
> Hello,
> 
> With what options were the clients installed?
> 
> Autodiscovery works only if the client is installed also with
> autodiscover. That means that if ipa-client-install is run with --server
> option then autodiscovery is not used. This is documented in
> ipa-client-install man page.

Yes, we need to know how the clients were installed and how the
sssd.conf on the clients looks like.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to