I have been unable to verify this. My set up consists of:
Original master with DNS on panther
Replica install with DNS on slinky
Confirmed that both have SRV records for the domain.
On panther run ipactl to completely shut down IPA.
On client lion configure /etc/resolv.conf with both panther as the nameserver:
DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com):
Ok, that is expected. Add slinky to /etc/resolv.conf:
root : ERROR LDAP Error: Can't contact LDAP server:
Failed to verify that slinky.greyoak.com is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
This is expected too as slinky is still a SRV record for the domain. I can keep trying and eventually I'll get slinky as the server to use:
Discovery was successful!
DNS Domain: greyoak.com
IPA Server: slinky.greyoak.com
Continue to configure the system with these values? [no]: y
Enrollment principal: admin
Password for admin@GREYOAK.COM:
Enrolled in IPA realm GREYOAK.COM
Configured /etc/krb5.conf for IPA realm GREYOAK.COM
Warning: Hostname (lion.greyoak.com) not found in DNS
DNS server record set to: lion.greyoak.com -> 192.168.166.32
Kerberos 5 enabled
Client configuration complete.
[root@lion rcrit]# id admin
uid=1457600000(admin) gid=1457600000(admins) groups=1457600000(admins)
Seems to be working fine.
To make things easier I could have removed the panther SRV records from DNS.
Note that there may still be sporadic failures because sssd and Kerberos are both configured to use DNS discovery and panther is still down, but my basic tests work.
After discussion with Simo and Stephen from the sssd team the final decision is to not set srv in ipa_server on IPA servers.
Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.1 - 2011/06
to comment on this ticket.