[Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

Petr Spacek pspacek at redhat.com
Mon Feb 15 12:26:29 UTC 2016 

On 26.1.2016 13:18, Zeal Vora wrote:
> Thanks David.
> 
> Generally for Operating systems like Amazon Linux etc which does not have a
> IPA-Client, we generally use SSSD to get things working.
> 
> In such cases, what would be optimal way to configure the SRV records as
> --domain parameter won't be present.

Hi,

ipa-client just configures SSSD, so SRV records will work just fine if you
configure it by hand.

Anyway, I would recommend you either to push Amazon to include IPA support in
their distro or to use RHEL/CentOS in AWS.

Petr^2 Spacek

> On Mon, Jan 25, 2016 at 5:16 PM, David Kupka <dkupka at redhat.com> wrote:
> 
>> On 25/01/16 12:08, Zeal Vora wrote:
>>
>>> Thanks Petr.
>>>
>>> So if the domain is example.com, in DNS, what would be the IP associated
>>> with it ?
>>>
>>> As there are 2 master servers, each of them will have different IP
>>> address.
>>>
>>> On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek <pspacek at redhat.com> wrote:
>>>
>>> On 25.1.2016 10:47, Zeal Vora wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I have setup a multi-master IPA and it seems to be working fine.
>>>>>
>>>>> The clients ( laptops and servers ) are not using the DNS of IPA.
>>>>>
>>>>> I was wondering, while configuring ipa-client, which server do I
>>>>>
>>>> reference
>>>>
>>>>> to when it asks the ipa-server hostname ?
>>>>>
>>>>> Both the master server has different hostnames.
>>>>>
>>>>> master1.example.com  ( Master 1 )
>>>>> master2.example.com  ( Master 2 )
>>>>>
>>>>
>>>> Specify only --domain option and do not use --server option at all. In
>>>> will
>>>> enable server auto-detection using DNS SRV records and you will not need
>>>> to
>>>> worry about adding/removing servers because all clients will
>>>> automatically
>>>> pick the new list up.
>>>>
>>>> --
>>>> Petr^2 Spacek
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>>
>>>
>> The '--domain' parameter is for client installer to form DNS request.
>> Request that is sent is the same as one sent by this command:
>> dig -t SRV _ldap._tcp.<domain>
>>
>> It then receiver list of records similar to this one:
>> 100 0 389 <master1-fqdn>
>> 100 0 389 <master2-fqdn>
>>
>> Installer then goes through the list and checks if it's really FreeIPA
>> server and first one that passes is used. When IP address is needed it can
>> be resolved from the name included in SRV response.
>>
>> HTH,
>> --
>> David Kupka
>>
> 


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list