[Freeipa-users] 6.1 beta

Tue Apr 5 14:00:50 UTC 2011

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/05/2011 09:54 AM, Sigbjorn Lie wrote:
>>
>> On 04/05/2011 08:16 AM, Sigbjorn Lie wrote:
>>
>>>>
>>>> On 04/04/2011 05:17 PM, Sigbjorn Lie wrote:
>>>>
>>>>
>>>>> The first dig is taken on the ipa server, using it's own IPA configured
>>>>> test DNS. However I have a F14 client successfully connected using my prod DNS (my DHCP
>>>>> default). Prod DNS is serving the same _ldap._tcp
>>>>> records for the same IPA server. My prod dns is serving TTL 1 second for the same records.
>>>>>
>>>>> I presume what happened was that I started the SSSD on the IPA server
>>>>> while it was still being served by the PROD dns. Then I changed the nameserver entries
>>>>> after.
>>>>>
>>>>> What gets to me is that I've used the prod DNS setup for testing with
>>>>> F14 for months now, without any issue. This first became an issue when I
>>>>> reinstalled the IPA server with RHEL 6.1 beta.
>>>>>
>>>>> Was that really it? Too low TTL on the DNS entries?
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> If I remember correctly, the change that added _srv_ by default to
>>>> sssd.conf went in during one of the later release candidates for FreeIPA. So it's likely that
>>>> for most of your time testing it, you only had the explicit server address in the config file.
>>>>
>>>>
>>>> I do encourage you to keep the _srv_ entry, as it really does make life
>>>> a lot easier later on (if you want to add a replica or move the FreeIPA server) since you only
>>>> have to update DNS instead of every client.
>>>>
>>>
>>> I see your point. I'll increase the TTL of my production zone and see what happends then. What
>>> do you think of having only the _srv_ entry, no named hosts at all in sssd.conf ?
>>
>>
>> The reason the install script sets one named host is just to be extra
>> cautious. If DNS is not resolving for some reason (BIND crashed, or someone accidentally blocked
>> port 53, etc.) then SSSD will still attempt to reach the named host before giving up and going
>> offline.
>>
>> It's not strictly necessary, but neither should it ever be harmful.
>> Obviously if DNS is resolving correctly at all times the named host will
>> never be used.
>>
> 
> 
> Ok. I see.
> 
> Why is the _srv_ records not used in the domain/default as well? And what exactly is the
> difference between domain/ix.nixtra.com and domain/default?

[domain/default] is not in use. It's put there by authconfig (which we
use to bootstrap the SSSD setup process) but we disable that domain.
Only domains listed in the
domains = <domain1>, <domain2>, ...
line of the [sssd] section are active.

We leave it in there to be a good citizen (in case it actually was
configured previously). That way we don't wipe out any settings that the
user may have had in it.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2bIJIACgkQeiVVYja6o6NR6ACdFp0PHQ3vz4G+KC850mn2+fL2
QaUAnA6W3hfNokCtOqlwTpriZfN/yK1n
=kDvn
-----END PGP SIGNATURE-----