[Freeipa-users] FreeIPA Replica / HA Issues

Jeff Hallyburton jeff.hallyburton at bloomip.com
Fri Jan 15 01:59:15 UTC 2016 

Petr,

Thanks for the info.  This is in fact probably what's happening in our
case.  That said, is there any supported way of manually setting up
failover at this time?  Is it hard, or simply impossible?

Thanks,

Jeff

Jeff Hallyburton
Strategic Systems Engineer
Bloomip Inc.
Web: http://www.bloomip.com

Engineering Support: support at bloomip.com
Billing Support: billing at bloomip.com
Customer Support Portal:  https://my.bloomip.com <http://my.bloomip.com/>

On Thu, Jan 14, 2016 at 2:06 AM, Petr Spacek <pspacek at redhat.com> wrote:

> Hello,
>
>
> this log is weird:
>
> On 14.1.2016 03:02, Jeff Hallyburton wrote:
> >> 2016-01-14T00:45:35Z DEBUG [IPA Discovery]
> >> 2016-01-14T00:45:35Z DEBUG Starting IPA discovery with domain=
> west-2.production.example.com, servers=None, hostname=
> test.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG Search for LDAP SRV record in
> west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG Search DNS for SRV record of _ldap._
> tcp.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG DNS record found: 0 100 389
> ipa1.west-2.production.example.com.
> >> 2016-01-14T00:45:35Z DEBUG DNS record found: 10 100 389
> ipa2.west-2.production.example.com.
> >> 2016-01-14T00:45:35Z DEBUG [Kerberos realm search]
> >> 2016-01-14T00:45:35Z DEBUG Search DNS for TXT record of _
> kerberos.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG DNS record found: "EXAMPLE.COM"
> >> 2016-01-14T00:45:35Z DEBUG Search DNS for SRV record of _kerberos._
> udp.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG DNS record found: 10 100 88
> ipa2.west-2.production.example.com.
> >> 2016-01-14T00:45:35Z DEBUG DNS record found: 0 100 88
> ipa1.west-2.production.example.com.
> >> 2016-01-14T00:45:35Z DEBUG [LDAP server check]
> >> 2016-01-14T00:45:35Z DEBUG Verifying that
> ipa1.west-2.production.example.com (realm EXAMPLE.COM) is an IPA server
> >> 2016-01-14T00:45:35Z DEBUG Init LDAP connection to:
> ipa1.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG Search LDAP server for IPA base DN
> >> 2016-01-14T00:45:35Z DEBUG Check if naming context 'dc=example,dc=com'
> is for IPA
> >> 2016-01-14T00:45:35Z DEBUG Naming context 'dc=example,dc=com' is a
> valid IPA context
> >> 2016-01-14T00:45:35Z DEBUG Search for (objectClass=krbRealmContainer)
> in dc=example,dc=com (sub)
> >> 2016-01-14T00:45:35Z DEBUG Found: cn=EXAMPLE.COM
> ,cn=kerberos,dc=example,dc=com
> >> 2016-01-14T00:45:35Z DEBUG Discovery result: Success; server=
> ipa1.west-2.production.example.com, domain=west-2.production.example.com,
> kdc=ipa2.west-2.production.example.com,ipa1.west-2.production.example.com,
> basedn=dc=example,dc=com
> >> 2016-01-14T00:45:35Z DEBUG Validated servers:
> ipa1.west-2.production.example.com
> >> 2016-01-14T00:45:35Z DEBUG will use discovered domain:
> west-2.production.example.com
>
> It looks that your IPA domain & realm is "example.com" and "EXAMPLE.COM",
> is
> that correct?
>
> Looking further ...
>
> > 2016-01-14T00:45:39Z DEBUG Writing Kerberos configuration to
> /etc/krb5.conf:
> > 2016-01-14T00:45:39Z DEBUG #File modified by ipa-client-install
> >
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> >
> > [libdefaults]
> >   default_realm = EXAMPLE.COM
> >   dns_lookup_realm = true
> >   dns_lookup_kdc = true
> >   rdns = false
> >   ticket_lifetime = 24h
> >   forwardable = yes
> >   udp_preference_limit = 0
> >   default_ccache_name = KEYRING:persistent:%{uid}
> >
> >
> > [realms]
> >   EXAMPLE.COM = {
> >     pkinit_anchors = FILE:/etc/ipa/ca.crt
> >
> >   }
> >
> >
> > [domain_realm]
> >   .west-2.production.example.com = EXAMPLE.COM
> >   west-2.production.example.com = EXAMPLE.COM
>
> Hmm, this is going to be wild guess, but let's try it:
> Do you have DNS SRV records in domain west-2.production.example.com but
> not in
> DNS domain example.com?
>
> That would probably cause this kind of problem.
>
> Generally it is necessary to put _kerberos TXT + SRV records into the
> (primary) DNS domain specified during IPA installation. Then use --domain
> option during ipa-client-install.
>
> --server is generally discouraged as it disables DNS SRV lookup and makes
> failover hard or impossible.
>
> --domain is just a hint for the installer where to start looking for DNS
> SRV
> records and allows full automatic failover.
>
>
> The autodiscovery is quite messy and needs to be imporoved in next
> versions.
> https://fedorahosted.org/freeipa/ticket/5270 should avoid the need to
> specify
> --domain when Kerberos TXT record is in DNS ... Stay tuned :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160114/01aedd12/attachment.htm>

More information about the Freeipa-users mailing list