Addig the DNS fixed it. Just one more question. Should I be updating the file /etc/openldap/ldap.conf to include both masters on the URL line on the clients? The only master that was listed there was the first master created.
Louis -<<—->>- Louis Bohm louisb...@gmail.com <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> > On Aug 12, 2020, at 7:29 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > > On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote: >> Yes the client was installed not using the —server option. So it looks like >> my issue is DNS. We have DNS external to the IPA hosts. Is there a simple >> way for me to get a list of all the DNS records that need to be added to our >> DNS system from IPA? > Yes, please see my 2nd link that mentions ipa dns-update-system-records > --dry-run: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external > > flo > >> Louis >> -<<—->>- >> Louis Bohm >> louisb...@gmail.com <mailto:louisb...@gmail.com> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>> On Aug 12, 2020, at 5:02 AM, Florence Blanc-Renaud <f...@redhat.com >>> <mailto:f...@redhat.com>> wrote: >>> >>> On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote: >>>> Environment: >>>> 2 IPA Masters running Centos 8 and IPA Server 4.8.0.13 >>>> Client running Lentos 8 and IPA Client 4.8.0.13 >>>> The masters were setup as MultiMasters (I think I have it correct). >>>> If I shutdown the first master (ipa01) so only ipa02 is running then try >>>> to login to the client I cannot. Found I needed to add both hosts to the >>>> IPA_server line in the SSSD.conf under the domain section to make that >>>> work. >>>> Now if I try to add a user via the command line on the client I get the >>>> following error: >>>> ipa: ERROR: cannot connect to 'https://ipa01.bos1.domain.com/ipa/json': >>>> [Errno 113] No route to host >>>> Do I need to list both IPA servers some where else? If so where? I did >>>> try adding both IPA servers on the URL line of openldap.conf (only ipa01 >>>> was listed). >>> Hi, >>> >>> you can find more information in "Failover, Load balancing and High >>> Availability in IdM" [1] >>> >>> On the client-side, it depends on how the client was installed. If DNS >>> auto-discovery was used (no --server option provided), then sssd.conf >>> should contain the keyword _srv_ in the list of configured servers >>> (ipa_server= _srv_, ...). In this case, SSSD is using the DNS to find the >>> appropriate server, please see sssd-ipa man page, especially the SERVICE >>> DISCOVERY section. >>> >>> This requires the client to use a proper DNS server. If the DNS is provided >>> by the IPA servers, make sure that /etc/resolv.conf on the client contains >>> ipa01 and ipa02 (otherwise when ipa01 is down, the client won't be able to >>> use the DNS). If the DNS is external, make sure that it contains the proper >>> records as explained in "Updating DNS records systematically when using >>> external DNS" [2] >>> >>> HTH, >>> flo >>> >>> [1] >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing >>> >>> [2] >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external >>>> Louis >>>> -<<—->>- >>>> Louis Bohm >>>> louisb...@gmail.com <mailto:louisb...@gmail.com> >>>> <mailto:louisb...@gmail.com> >>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
