On Tue, Nov 01, 2016 at 06:44:46PM -0400, Jake wrote:
> Hey All, 
> Quick question on IPA Service discover and selection (ldap/kerberos in ad 
> trust). 
> Do IPA clients ping results of SRV records to determine which server they 
> send requests (for ldap/kerberos specifically)? 
> I have 8 AD Domain controllers, 2 in each location, and 4 ipa servers (2 in 
> each of 2 locations), it seems the ipa servers rarely choose the local ad 
> controllers, is there a way to adjust this? Must I setup something like 
> geo-dns with different service weights per subnet? 

Please note that the identity lookups of AD users are mostly done by SSSD
on the IPA masters and the IPA clients read the AD user data from the
IPA masters. So I would make sure that the IPA masters are assigned to a
local site, then SSSD should prefer DCs from that site. The DNS queries
and the discovery should be visible in the SSSD domain logs on the IPA

Authentication is done by calling libkrb5 on the clients which is not

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to