[Freeipa-users] Service discovery and selection for IPA
Jakub Hrozek
jhrozek at redhat.com
Wed Nov 2 08:46:51 UTC 2016
On Tue, Nov 01, 2016 at 06:44:46PM -0400, Jake wrote:
> Hey All,
> Quick question on IPA Service discover and selection (ldap/kerberos in ad trust).
>
> Do IPA clients ping results of SRV records to determine which server they send requests (for ldap/kerberos specifically)?
>
> I have 8 AD Domain controllers, 2 in each location, and 4 ipa servers (2 in each of 2 locations), it seems the ipa servers rarely choose the local ad controllers, is there a way to adjust this? Must I setup something like geo-dns with different service weights per subnet?
Please note that the identity lookups of AD users are mostly done by SSSD
on the IPA masters and the IPA clients read the AD user data from the
IPA masters. So I would make sure that the IPA masters are assigned to a
local site, then SSSD should prefer DCs from that site. The DNS queries
and the discovery should be visible in the SSSD domain logs on the IPA
masters.
Authentication is done by calling libkrb5 on the clients which is not
site-aware.
More information about the Freeipa-users
mailing list