Hi, the ipa-server is setup to: ourdomain.example We actually use a sub domain called: local.ourdomain.example
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @192.168.66.205 SRV _ldap._tcp.local.ourdomain.example ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17604 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_ldap._tcp.local.ourdomain.example. IN SRV ;; AUTHORITY SECTION: local.ourdomain.example. 3600 IN SOA freeipa1.local.ourdomain.example. hostmaster.local.ourdomain.example. 1551582429 3600 900 1209600 3600 ;; Query time: 0 msec ;; SERVER: 192.168.xx.xx5#53(192.168.xx.xx5) ;; WHEN: do mrt 07 10:34:03 CET 2019 ;; MSG SIZE rcvd: 112 With regard to the home directories they are nfs mounted by automount service setup in the ipa-server. I am sure there is read acces when the old replica is offline because users can login. (automount key: * -fstype=nfs,rw,vers=3 192.168.xx.xx9:/mnt/raid/homedirs/&) I'll check in the weekend for write permissions. It makes sence that this can disrupt services We use the freeipa for DNS, automount and login. I have about 20 ipa-clients connected and 10 users DNS resolves for the 20 ipa-clients and automount mounts homedirectories and about 8 other nfs shares + 2 smb shares all ipa-clients are unroled from the old replica-server and joined the new ipa-server The old replica had a master in domain: foreign.ourdomain.example. this master is distroyed. the new ipa-server has following config: Maximum username length: 32 Home directory base: /users_roaming Default shell: /bin/bash Default users group: pusers Default e-mail domain: local.ourdomain.example Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=OURDOMAIN>EXAMPLE Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: freeipa1.local.ourdomain.example IPA CA servers: freeipa1.local.ourdomain.example IPA NTP servers: freeipa1.local.ourdomain.example IPA CA renewal master: freeipa1.local.ourdomain.example IPA master capable of PKINIT: freeipa1.local.ourdomain.example The old replica had a master in domain: foreign.ourdomain.example. this master is distroyed. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
