On 7/24/19 11:59 AM, Jo Domsic via FreeIPA-users wrote:
Hi to the good people of FreeIPA!
I'm in the process of removing old servers from my datacentar, and I was
wondering if I can delete/remove (first created) freeipa server?
I have 4 masters:
[root@server] ipa-replica-manage list
freeipa03.lan: master
freeipa04.lan: master
freeipa01.lan: master <--- I want to delete this one
freeipa02.lan: master
Hi,
before removing this server, please make sure that all its roles are
replicated into at least another master. For instance, if freeipa01
provides CA, KRA or DNS, check that the role is also configured
somewhere else. You can use ipa server-role-find.
You will also need to transfer the CA renewal and CRL generation
responsibilities to another master (please see [1] for instructions).
What will happen to servers that have:
[root@server2] cat /etc/ipa/default.conf
#File modified by ipa-client-install
[global]
basedn = dc=lan
realm = LAN
domain = lan
server = freeipa01.lan
host = server2.lan
xmlrpc_uri = https://freeipa01.lan/ipa/xml
enable_ra = True
If the client is properly configured and relies on DNS discovery, the
failover will apply silently.
Check on the client that:
- /etc/sssd/sssd.conf defines ipa_server = _srv_,<name of master>
The _srv_ keyword means that service discovery is used to find an
available master. Please see sssd-ipa man page, specifically the
FAILOVER section.
- /etc/krb5.conf defines dns_lookup_kdc = true in [libdefaults] and
there is no kdc= in the realm section for IdM.
This way, kerberos and sssd clients will use DNS discovery. Of course,
the DNS needs to be properly setup:
- if using IdM embedded DNS, this is automatic
- if using an external DNS, the proper DNS records are required, please
see [2]. You can also use ipa dns-update-system-records --dry-run to get
a list of the required records in nsupdate format. Please see [3].
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/server-roles#server-roles-promote-to-ca
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs
[3]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#dns-updates-external
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org