[Freeipa-users] 6.1 beta

Stephen Gallagher sgallagh at redhat.com
Tue Apr 5 12:20:11 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/05/2011 08:16 AM, Sigbjorn Lie wrote:
>>
>> On 04/04/2011 05:17 PM, Sigbjorn Lie wrote:
>>
>>> The first dig is taken on the ipa server, using it's own IPA configured
>>> test DNS. However I have a F14 client successfully connected using my prod DNS (my DHCP default).
>>> Prod DNS is serving the same _ldap._tcp
>>> records for the same IPA server. My prod dns is serving TTL 1 second for the same records.
>>>
>>> I presume what happened was that I started the SSSD on the IPA server
>>> while it was still being served by the PROD dns. Then I changed the nameserver entries after.
>>>
>>> What gets to me is that I've used the prod DNS setup for testing with
>>> F14 for months now, without any issue. This first became an issue when I
>>> reinstalled the IPA server with RHEL 6.1 beta.
>>>
>>> Was that really it? Too low TTL on the DNS entries?
>>>
>>>
>>
>>
>> If I remember correctly, the change that added _srv_ by default to
>> sssd.conf went in during one of the later release candidates for FreeIPA. So it's likely that for
>> most of your time testing it, you only had the explicit server address in the config file.
>>
>> I do encourage you to keep the _srv_ entry, as it really does make life
>> a lot easier later on (if you want to add a replica or move the FreeIPA server) since you only have
>> to update DNS instead of every client.
>>
> 
> I see your point. I'll increase the TTL of my production zone and see what happends then. What do
> you think of having only the _srv_ entry, no named hosts at all in sssd.conf ?


The reason the install script sets one named host is just to be extra
cautious. If DNS is not resolving for some reason (BIND crashed, or
someone accidentally blocked port 53, etc.) then SSSD will still attempt
to reach the named host before giving up and going offline.

It's not strictly necessary, but neither should it ever be harmful.
Obviously if DNS is resolving correctly at all times the named host will
never be used.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bCPsACgkQeiVVYja6o6O0ogCghoLoQ7d8NajVD3p7bgfgfIxH
RDAAoJx6JXaijE7etQF2faP4g3xm6fC6
=bej9
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list