On Tue, Nov 01, 2016 at 06:44:46PM -0400, Jake wrote: > Hey All, > Quick question on IPA Service discover and selection (ldap/kerberos in ad > trust). > > Do IPA clients ping results of SRV records to determine which server they > send requests (for ldap/kerberos specifically)? > > I have 8 AD Domain controllers, 2 in each location, and 4 ipa servers (2 in > each of 2 locations), it seems the ipa servers rarely choose the local ad > controllers, is there a way to adjust this? Must I setup something like > geo-dns with different service weights per subnet?
Please note that the identity lookups of AD users are mostly done by SSSD on the IPA masters and the IPA clients read the AD user data from the IPA masters. So I would make sure that the IPA masters are assigned to a local site, then SSSD should prefer DCs from that site. The DNS queries and the discovery should be visible in the SSSD domain logs on the IPA masters. Authentication is done by calling libkrb5 on the clients which is not site-aware. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
