freeipa

#1187 Client install fails on ipa-join when master is down, and replica is running.

Closed: Fixed None Opened 11 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=696193

rcritten commented 11 years ago

I have been unable to verify this. My set up consists of:

Original master with DNS on panther
Replica install with DNS on slinky

Confirmed that both have SRV records for the domain.

On panther run ipactl to completely shut down IPA.

On client lion configure /etc/resolv.conf with both panther as the nameserver:

ipa-client-install (wait 15 seconds or so)

DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com):

Ok, that is expected. Add slinky to /etc/resolv.conf:

ipa-client-install

root : ERROR LDAP Error: Can't contact LDAP server:
Failed to verify that slinky.greyoak.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.

This is expected too as slinky is still a SRV record for the domain. I can keep trying and eventually I'll get slinky as the server to use:

ipa-client-install

Discovery was successful!
Hostname: lion.greyoak.com
Realm: GREYOAK.COM
DNS Domain: greyoak.com
IPA Server: slinky.greyoak.com
BaseDN: dc=greyoak,dc=com

Continue to configure the system with these values? [no]: y
Enrollment principal: admin
Password for admin@GREYOAK.COM:

Enrolled in IPA realm GREYOAK.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm GREYOAK.COM
Warning: Hostname (lion.greyoak.com) not found in DNS
DNS server record set to: lion.greyoak.com -> 192.168.166.32
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@lion rcrit]# id admin
uid=1457600000(admin) gid=1457600000(admins) groups=1457600000(admins)

Seems to be working fine.

To make things easier I could have removed the panther SRV records from DNS.

Note that there may still be sporadic failures because sssd and Kerberos are both configured to use DNS discovery and panther is still down, but my basic tests work.

rcritten commented 11 years ago

After discussion with Simo and Stephen from the sssd team the final decision is to not set srv in ipa_server on IPA servers.

rcritten commented 11 years ago

attachment
freeipa-rcrit-806-sssd.patch

mkosek commented 11 years ago

master: d0af8b2[[BR]]
ipa-2-0: 99181f6

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1 - 2011/06

5 years ago

Metadata

Assignee

rcritten

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 2.1 - 2011/06

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=696193

tester

None

changelog

None

design

None

freeipa

Source Code

#1187 Client install fails on ipa-join when master is down, and replica is running. Closed: Fixed None Opened 11 years ago by dpal.

ipa-client-install (wait 15 seconds or so)

ipa-client-install

ipa-client-install

Metadata

#1187 Client install fails on ipa-join when master is down, and replica is running.

Closed: Fixed None Opened 11 years ago by dpal.