[Freeipa-users] Freeipa replica info to clents: guidance

Rakesh Rajasekharan rakesh.rajasekharan at gmail.com
Sat Jan 21 13:49:30 UTC 2017 

thanks Matrix.. I will add this option to my config params

Regards,
Rakesh

On Sat, Jan 21, 2017 at 7:17 PM, Matrix <matrix.zj at qq.com> wrote:

> Hi, Rakesh
>
> Try 'ipa-client-install' with this option '--fixed-primary'. with it,
> '_srv_' will disappeared
>
> From man page:
>        --fixed-primary
>               Configure  SSSD  to use a fixed server as the primary IPA
> server. The default is to
>               use DNS SRV records to determine the primary server to use
> and  fall  back  to  the
>               server  the client is enrolled with. When used in
> conjunction with --server then no
>               _srv_ value is set in the ipa_server option in sssd.conf.
>
> Matrix
> ------------------ Original ------------------
> *From: * "Rakesh Rajasekharan";<rakesh.rajasekharan at gmail.com>;
> *Date: * Sat, Jan 21, 2017 10:09 PM
> *To: * "Matrix"<matrix.zj at qq.com>;
> *Cc: * "freeipa-users"<freeipa-users at redhat.com>;
> *Subject: * Re: [Freeipa-users] Freeipa replica info to clents: guidance
>
> Thanks Matrix.. for the inputs..
>
> > Firstly, '_srv_' means clients will find out which servers will be
> connected with by dns srv records. In your explanation, DNS did not
> configure in your env.
>
> After running the ipa-client, the _srv_ was automatically added . The
> configs options I passed for configuring the host as a IPA client is
>
> ipa-client-install --domain=mydomain.com --server=ipa-master-int.
> mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir
> --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U
>
>
> While configuring  IPA server , I did not pass the setup-dns options.(
> that avoids setting up the dns server I assume )
>
>
> ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P
> mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U
>
> So, I did not explicitly specify the _srv_ options. However, this has been
> working fine till now.
>
>
> > Secondly, 'replica' key words ? I can not find it from man pages of
> sssd-ipa. is it really working fine?
> sorry that was a typo from my side .
> Its actually
> ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com.
>
> > So, I suggested to configure it in this way:
> > ipa_server = <ipa1>
> > ipa_backup_server = <ipa2>
>
> > For another half clients,
> > ipa_server = <ipa2>
> > ipa_backup_server = <ipa1>
>
> I will try this out.. probably I can safely leave out _srv_
>
> Thanks
> Rakesh
>
> On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix.zj at qq.com> wrote:
>
>> For my understanding, there is something wrong with your configuration
>>
>> >> ipa_server = _srv_, ipa-master-mydomain.com, repilca
>> ipa-replica-mydomain.com
>>
>> Firstly, '_srv_' means clients will find out which servers will be
>> connected with by dns srv records. In your explanation, DNS did not
>> configure in your env.
>>
>> Secondly, 'replica' key words ? I can not find it from man pages of
>> sssd-ipa. is it really working fine?
>>
>> >>Also, can I define priority based on the order in which the IPA servers
>> are defined in
>> >>ipa_server = _srv_ ,<ipa1>,<ipa2>
>>
>> your understanding is correct. server priority is based on sequence in
>> conf file. There is a problem for this configuration. Once 'ipa1' failed,
>> all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was
>> back, all clients will be sticky on 'ipa2'
>>
>> So, I suggested to configure it in this way:
>> ipa_server = <ipa1>
>> ipa_backup_server = <ipa2>
>>
>> For another half clients,
>> ipa_server = <ipa2>
>> ipa_backup_server = <ipa1>
>>
>> Matrix
>>
>> ------------------ Original ------------------
>> *From: * "Rakesh Rajasekharan";<rakesh.rajasekharan at gmail.com>;
>> *Date: * Sat, Jan 21, 2017 08:25 PM
>> *To: * "freeipa-users"<freeipa-users at redhat.com>;
>> *Subject: * [Freeipa-users] Freeipa replica info to clents: guidance
>>
>> Hi,
>>
>> My Freeipa setup is on AWS ec2 instances and has been working fine with
>> just one master for a while now.
>>
>> I am now trying to setup replica servers which, I was able to and the
>> replication between both masters go fine.
>>
>> So, I have a master serer ipa-master-mydomain.com and repilca
>> ipa-replica-mydomain.com
>>
>> I am not using DNS and rely on AWS for DNS resolution instead.
>>
>> My question is , how do I tell clients about the new replica server .
>>
>> I tried an entry in the sssd.conf domain section of the clients
>>
>>
>> id_provider = ipa
>> auth_provider = ipa
>> ipa_server = _srv_, ipa-master-mydomain.com, repilca
>> ipa-replica-mydomain.com
>>
>>
>> This approach works fine and clients reach out to the replica as a
>> failover. However, wanted to verify if this is the correct way.
>>
>> Also, can I define priority based on the order in which the IPA servers
>> are defined in
>> ipa_server = _srv_ ,<ipa1>,<ipa2>
>>
>> If the above assumption is right, I could have half of my clients connect
>> to master always and rest to the replica that way balancing the load.
>>
>>
>> Thanks
>> Rakesh
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170121/7182b1f6/attachment.htm>

More information about the Freeipa-users mailing list