<div dir="ltr">Cool stuff. Thanks.<div><br></div><div>I had a look at our SRV records and found the following:</div><div><div>_kerberos-master._tcp</div><div>_kerberos-master._udp</div><div>_kerberos._tcp</div><div>_kerberos._udp</div><div>_kpasswd._tcp</div><div>_kpasswd._udp</div><div>_ldap._tcp<span style="white-space:pre-wrap"> </span></div><div>_ntp._udp</div></div><div><br></div><div>No mention of and ipa srv records. Does sssd use _ldap._tcp?</div><div><br></div><div>Thanks,</div><div><br></div><div>Andrew</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 18 March 2015 at 18:11, Rob Crittenden <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','rcritten@redhat.com');" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Craig White wrote:<br>
> *From:*<a href="javascript:_e(%7B%7D,'cvml','freeipa-users-bounces@redhat.com');" target="_blank">freeipa-users-bounces@redhat.com</a><br>
> [mailto:<a href="javascript:_e(%7B%7D,'cvml','freeipa-users-bounces@redhat.com');" target="_blank">freeipa-users-bounces@redhat.com</a>] *On Behalf Of *Andrew Holway<br>
> *Sent:* Wednesday, March 18, 2015 9:40 AM<br>
> *To:* <a href="javascript:_e(%7B%7D,'cvml','freeipa-users@redhat.com');" target="_blank">freeipa-users@redhat.com</a><br>
> *Subject:* [Freeipa-users] SSSD in redundant configuration<br>
<span>><br>
><br>
><br>
> Hello,<br>
><br>
><br>
><br>
> Im wondering how we should be handing SSSD for redundant configurations<br>
> on our freeipa clients. We have three freeipa servers; how can we make<br>
> SSSD check another freeipa in the event that one goes down?<br>
><br>
><br>
><br>
> It appears we can do something like the following:<br>
><br>
><br>
><br>
> ipa_hostname = <a href="http://test-freeipa-client-1.cloud.domain.de" target="_blank">test-freeipa-client-1.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-client-1.cloud.domain.de" target="_blank">http://test-freeipa-client-1.cloud.domain.de</a>>,<br>
> <a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">test-freeipa-client-2.cloud.domain.de</a><br>
> <<a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">http://test-freeipa-client-2.cloud.domain.de</a>>,<br>
> <a href="http://test-freeipa-client-3.cloud.domain.de" target="_blank">test-freeipa-client-3.cloud.domain.de</a><br>
> <<a href="http://test-freeipa-client-3.cloud.domain.de" target="_blank">http://test-freeipa-client-3.cloud.domain.de</a>><br>
<span>><br>
><br>
><br>
> However I thought SRV records were meant to supply the magic here?<br>
><br>
><br>
><br>
> Thanks,<br>
><br>
><br>
><br>
> Andrew<br>
><br>
><br>
><br>
><br>
><br>
> /etc/sssd/sssd.conf<br>
><br>
</span>> [domain/<a href="http://cloud.domain.de" target="_blank">cloud.domain.de</a> <<a href="http://cloud.domain.de" target="_blank">http://cloud.domain.de</a>>]<br>
<span>><br>
> cache_credentials = True<br>
><br>
> krb5_store_password_if_offline = True<br>
><br>
</span>> ipa_domain = <a href="http://cloud.domain.de" target="_blank">cloud.domain.de</a> <<a href="http://cloud.domain.de" target="_blank">http://cloud.domain.de</a>><br>
<span>><br>
> id_provider = ipa<br>
><br>
> auth_provider = ipa<br>
><br>
> access_provider = ipa<br>
><br>
> ipa_hostname = <a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">test-freeipa-client-2.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">http://test-freeipa-client-2.cloud.domain.de</a>><br>
<span>><br>
> chpass_provider = ipa<br>
><br>
> ipa_dyndns_update = True<br>
><br>
> ipa_server = _srv_, <a href="http://test-freeipa-2.cloud.domain.de" target="_blank">test-freeipa-2.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-2.cloud.domain.de" target="_blank">http://test-freeipa-2.cloud.domain.de</a>><br>
<span>><br>
> ldap_tls_cacert = /etc/ipa/ca.crt<br>
><br>
> # For the SUDO integration<br>
><br>
> sudo_provider = ldap<br>
><br>
> ldap_uri = ldap://<a href="http://test-freeipa-1.cloud.domain.de" target="_blank">test-freeipa-1.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-1.cloud.domain.de" target="_blank">http://test-freeipa-1.cloud.domain.de</a>><br>
<span>><br>
> ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=domain,dc=de<br>
><br>
> ldap_sasl_mech = GSSAPI<br>
><br>
> ldap_sasl_authid = host/<a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">test-freeipa-client-2.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-client-2.cloud.domain.de" target="_blank">http://test-freeipa-client-2.cloud.domain.de</a>><br>
><br>
> ldap_sasl_realm = <a href="http://CLOUD.DOMAIN.DE" target="_blank">CLOUD.DOMAIN.DE</a> <<a href="http://CLOUD.DOMAIN.DE" target="_blank">http://CLOUD.DOMAIN.DE</a>><br>
><br>
> krb5_server = <a href="http://test-freeipa-2.cloud.domain.de" target="_blank">test-freeipa-2.cloud.domain.de</a><br>
> <<a href="http://test-freeipa-2.cloud.domain.de" target="_blank">http://test-freeipa-2.cloud.domain.de</a>><br>
<span>><br>
> [sssd]<br>
><br>
> services = nss, pam, ssh, sudo<br>
><br>
> config_file_version = 2<br>
><br>
</span>> domains = <a href="http://cloud.domain.de" target="_blank">cloud.domain.de</a> <<a href="http://cloud.domain.de" target="_blank">http://cloud.domain.de</a>><br>
<span>><br>
> [nss]<br>
><br>
> [pam]<br>
><br>
> [sudo]<br>
><br>
> [autofs]<br>
><br>
> [ssh]<br>
><br>
> [pac]<br>
><br>
> I think the magic you are looking for is in /etc/sssd/sssd.conf where<br>
> you have…<br>
><br>
> ipa_server = _srv_, <a href="http://test-freeipa-2.cloud.domain.de" target="_blank">test-freeipa-2.cloud.domain.de</a><br>
</span>> <<a href="http://test-freeipa-2.cloud.domain.de" target="_blank">http://test-freeipa-2.cloud.domain.de</a>><br>
<span>><br>
> and all you need is…<br>
><br>
> ipa_server = _srv_<br>
<br>
</span>_srv_ tells SSSD to check DNS for SRV records. The trailing server gives<br>
it a hardcoded fallback in case DNS fails for some reason. Their current<br>
configuration is correct.<br>
<span><font color="#888888"><br>
rob<br>
<br>
</font></span></blockquote></div><br></div>