Re: [Freeipa-users] Client is using only one of two servers
On Thu, Aug 04, 2016 at 12:28:33PM +0200, Petr Vobornik wrote: > On 08/04/2016 11:48 AM, Keller, Mario wrote: > > Hello, > > > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > > also working. > > > > #ipa-replica-manage list > > Directory Manager password: > > > > s-fcbg-ipa2.ipa.cornelsen.de: master > > s-onli-ipa1.ipa.cornelsen.de: master > > > > Both servers running ipa-server-4.2 : > > > > rpm -qa | grep ipa-server > > ipa-server-dns-4.2.0-15.el7_2.17.x86_64 > > ipa-server-4.2.0-15.el7_2.17.x86_64 > > > > I have also a client installed running also version 4.2 > > > > ipa-client-4.2.0-15.el7_2.17.x86_64 > > > > The client and the first server are in the same subnet, while server 2 is > > in a different subnet. > > All ports that are required are open for server 1 to server 2 and also for > > the client to server two. > > > > I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. > > the subdomain is forwarded by out general dns-server to both ipa-servers. > > > > If I switch server 1 off I would expect that the client is using the second > > server to check access and sudo rights, but that's not the case. If I > > create a new user on the ipa-server and then switch off the first server, > > the user cannot login to the client. If I switch on server 1 again, the > > user can login. > > > > The official documentation says: > > > > " There can be multiple servers and replicas within the IdM server > > topology. When a client needs to connect to a server for updates or to > > retrieve user information, it (by default) uses a service scan to discover > > available servers and replicas in the domain. This means that the actual > > server to which the client connects is random, depending on the results of > > the discovery scan." > > > > But there's no information how this scan is done. > > > > I have to provide the server and the domain during the client installation. > > But regarding to the documentation, the server can by any server or replica > > in my topology. This server is saved also in the > > /etc/ipa/default.conf > > > > How is the service scan working and is there a way to manually check what > > the service-check is returning? > > > > With best regards, > > > > Mario Keller > > IT-Operations Engineer > > > > Hello, > > With what options were the clients installed? > > Autodiscovery works only if the client is installed also with > autodiscover. That means that if ipa-client-install is run with --server > option then autodiscovery is not used. This is documented in > ipa-client-install man page. Yes, we need to know how the clients were installed and how the sssd.conf on the clients looks like. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Client is using only one of two servers
On 08/04/2016 11:48 AM, Keller, Mario wrote: > Hello, > > I've setup two ipa-servers on RHEL 7 that are up an running. Replication is > also working. > > #ipa-replica-manage list > Directory Manager password: > > s-fcbg-ipa2.ipa.cornelsen.de: master > s-onli-ipa1.ipa.cornelsen.de: master > > Both servers running ipa-server-4.2 : > > rpm -qa | grep ipa-server > ipa-server-dns-4.2.0-15.el7_2.17.x86_64 > ipa-server-4.2.0-15.el7_2.17.x86_64 > > I have also a client installed running also version 4.2 > > ipa-client-4.2.0-15.el7_2.17.x86_64 > > The client and the first server are in the same subnet, while server 2 is in > a different subnet. > All ports that are required are open for server 1 to server 2 and also for > the client to server two. > > I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. the > subdomain is forwarded by out general dns-server to both ipa-servers. > > If I switch server 1 off I would expect that the client is using the second > server to check access and sudo rights, but that's not the case. If I create > a new user on the ipa-server and then switch off the first server, the user > cannot login to the client. If I switch on server 1 again, the user can > login. > > The official documentation says: > > " There can be multiple servers and replicas within the IdM server topology. > When a client needs to connect to a server for updates or to retrieve user > information, it (by default) uses a service scan to discover available > servers and replicas in the domain. This means that the actual server to > which the client connects is random, depending on the results of the > discovery scan." > > But there's no information how this scan is done. > > I have to provide the server and the domain during the client installation. > But regarding to the documentation, the server can by any server or replica > in my topology. This server is saved also in the > /etc/ipa/default.conf > > How is the service scan working and is there a way to manually check what the > service-check is returning? > > With best regards, > > Mario Keller > IT-Operations Engineer > Hello, With what options were the clients installed? Autodiscovery works only if the client is installed also with autodiscover. That means that if ipa-client-install is run with --server option then autodiscovery is not used. This is documented in ipa-client-install man page. HTH -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Client is using only one of two servers
Hello, I've setup two ipa-servers on RHEL 7 that are up an running. Replication is also working. #ipa-replica-manage list Directory Manager password: s-fcbg-ipa2.ipa.cornelsen.de: master s-onli-ipa1.ipa.cornelsen.de: master Both servers running ipa-server-4.2 : rpm -qa | grep ipa-server ipa-server-dns-4.2.0-15.el7_2.17.x86_64 ipa-server-4.2.0-15.el7_2.17.x86_64 I have also a client installed running also version 4.2 ipa-client-4.2.0-15.el7_2.17.x86_64 The client and the first server are in the same subnet, while server 2 is in a different subnet. All ports that are required are open for server 1 to server 2 and also for the client to server two. I have an subdomain ipa.cornelsen.de that is managed by both ipa-servers. the subdomain is forwarded by out general dns-server to both ipa-servers. If I switch server 1 off I would expect that the client is using the second server to check access and sudo rights, but that's not the case. If I create a new user on the ipa-server and then switch off the first server, the user cannot login to the client. If I switch on server 1 again, the user can login. The official documentation says: " There can be multiple servers and replicas within the IdM server topology. When a client needs to connect to a server for updates or to retrieve user information, it (by default) uses a service scan to discover available servers and replicas in the domain. This means that the actual server to which the client connects is random, depending on the results of the discovery scan." But there's no information how this scan is done. I have to provide the server and the domain during the client installation. But regarding to the documentation, the server can by any server or replica in my topology. This server is saved also in the /etc/ipa/default.conf How is the service scan working and is there a way to manually check what the service-check is returning? With best regards, Mario Keller IT-Operations Engineer -- Cornelsen Verlag GmbH, Mecklenburgische Straße 53, 14197 Berlin Tel: +49 30 897 85-8364, Fax: +49 30 897 85-97-8364 E-Mail: mario.kel...@cornelsen.de | cornelsen.de AG Charlottenburg, HRB 114796 B Geschäftsführung: Dr. Anja Hagen, Joachim Herbst, Mark van Mierle (Vorsitz), Patrick Neiss, Michael von Smolinski, Frank Thalhofer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
