#1187 Client install fails on ipa-join when master is down, and replica is running.
Closed: Fixed None Opened 11 years ago by dpal.


I have been unable to verify this. My set up consists of:

Original master with DNS on panther
Replica install with DNS on slinky

Confirmed that both have SRV records for the domain.

On panther run ipactl to completely shut down IPA.

On client lion configure /etc/resolv.conf with both panther as the nameserver:

ipa-client-install (wait 15 seconds or so)

DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com):

Ok, that is expected. Add slinky to /etc/resolv.conf:

ipa-client-install

root : ERROR LDAP Error: Can't contact LDAP server:
Failed to verify that slinky.greyoak.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.

This is expected too as slinky is still a SRV record for the domain. I can keep trying and eventually I'll get slinky as the server to use:

ipa-client-install

Discovery was successful!
Hostname: lion.greyoak.com
Realm: GREYOAK.COM
DNS Domain: greyoak.com
IPA Server: slinky.greyoak.com
BaseDN: dc=greyoak,dc=com

Continue to configure the system with these values? [no]: y
Enrollment principal: admin
Password for admin@GREYOAK.COM:

Enrolled in IPA realm GREYOAK.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm GREYOAK.COM
Warning: Hostname (lion.greyoak.com) not found in DNS
DNS server record set to: lion.greyoak.com -> 192.168.166.32
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@lion rcrit]# id admin
uid=1457600000(admin) gid=1457600000(admins) groups=1457600000(admins)

Seems to be working fine.

To make things easier I could have removed the panther SRV records from DNS.

Note that there may still be sporadic failures because sssd and Kerberos are both configured to use DNS discovery and panther is still down, but my basic tests work.

After discussion with Simo and Stephen from the sssd team the final decision is to not set srv in ipa_server on IPA servers.

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1 - 2011/06

5 years ago

Login to comment on this ticket.

Metadata