[Freeipa-users] SSSD in redundant configuration
Andrew Holway
andrew.holway at gmail.com
Thu Mar 19 07:42:42 UTC 2015
Cool stuff. Thanks.
I had a look at our SRV records and found the following:
_kerberos-master._tcp
_kerberos-master._udp
_kerberos._tcp
_kerberos._udp
_kpasswd._tcp
_kpasswd._udp
_ldap._tcp
_ntp._udp
No mention of and ipa srv records. Does sssd use _ldap._tcp?
Thanks,
Andrew
On 18 March 2015 at 18:11, Rob Crittenden <rcritten at redhat.com
<javascript:_e(%7B%7D,'cvml','rcritten at redhat.com');>> wrote:
> Craig White wrote:
> > *From:*freeipa-users-bounces at redhat.com
> <javascript:_e(%7B%7D,'cvml','freeipa-users-bounces at redhat.com');>
> > [mailto:freeipa-users-bounces at redhat.com
> <javascript:_e(%7B%7D,'cvml','freeipa-users-bounces at redhat.com');>] *On
> Behalf Of *Andrew Holway
> > *Sent:* Wednesday, March 18, 2015 9:40 AM
> > *To:* freeipa-users at redhat.com
> <javascript:_e(%7B%7D,'cvml','freeipa-users at redhat.com');>
> > *Subject:* [Freeipa-users] SSSD in redundant configuration
> >
> >
> >
> > Hello,
> >
> >
> >
> > Im wondering how we should be handing SSSD for redundant configurations
> > on our freeipa clients. We have three freeipa servers; how can we make
> > SSSD check another freeipa in the event that one goes down?
> >
> >
> >
> > It appears we can do something like the following:
> >
> >
> >
> > ipa_hostname = test-freeipa-client-1.cloud.domain.de
> > <http://test-freeipa-client-1.cloud.domain.de>,
> > test-freeipa-client-2.cloud.domain.de
> > <http://test-freeipa-client-2.cloud.domain.de>,
> > test-freeipa-client-3.cloud.domain.de
> > <http://test-freeipa-client-3.cloud.domain.de>
> >
> >
> >
> > However I thought SRV records were meant to supply the magic here?
> >
> >
> >
> > Thanks,
> >
> >
> >
> > Andrew
> >
> >
> >
> >
> >
> > /etc/sssd/sssd.conf
> >
> > [domain/cloud.domain.de <http://cloud.domain.de>]
> >
> > cache_credentials = True
> >
> > krb5_store_password_if_offline = True
> >
> > ipa_domain = cloud.domain.de <http://cloud.domain.de>
> >
> > id_provider = ipa
> >
> > auth_provider = ipa
> >
> > access_provider = ipa
> >
> > ipa_hostname = test-freeipa-client-2.cloud.domain.de
> > <http://test-freeipa-client-2.cloud.domain.de>
> >
> > chpass_provider = ipa
> >
> > ipa_dyndns_update = True
> >
> > ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> > <http://test-freeipa-2.cloud.domain.de>
> >
> > ldap_tls_cacert = /etc/ipa/ca.crt
> >
> > # For the SUDO integration
> >
> > sudo_provider = ldap
> >
> > ldap_uri = ldap://test-freeipa-1.cloud.domain.de
> > <http://test-freeipa-1.cloud.domain.de>
> >
> > ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de
> >
> > ldap_sasl_mech = GSSAPI
> >
> > ldap_sasl_authid = host/test-freeipa-client-2.cloud.domain.de
> > <http://test-freeipa-client-2.cloud.domain.de>
> >
> > ldap_sasl_realm = CLOUD.DOMAIN.DE <http://CLOUD.DOMAIN.DE>
> >
> > krb5_server = test-freeipa-2.cloud.domain.de
> > <http://test-freeipa-2.cloud.domain.de>
> >
> > [sssd]
> >
> > services = nss, pam, ssh, sudo
> >
> > config_file_version = 2
> >
> > domains = cloud.domain.de <http://cloud.domain.de>
> >
> > [nss]
> >
> > [pam]
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > I think the magic you are looking for is in /etc/sssd/sssd.conf where
> > you have…
> >
> > ipa_server = _srv_, test-freeipa-2.cloud.domain.de
> > <http://test-freeipa-2.cloud.domain.de>
> >
> > and all you need is…
> >
> > ipa_server = _srv_
>
> _srv_ tells SSSD to check DNS for SRV records. The trailing server gives
> it a hardcoded fallback in case DNS fails for some reason. Their current
> configuration is correct.
>
> rob
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/65c818da/attachment.htm>
More information about the Freeipa-users
mailing list