It does. Thank you. Louis -<<—->>- Louis Bohm louisb...@gmail.com
<https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> > On Aug 13, 2020, at 10:07 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > > On 8/13/20 2:35 PM, Louis Bohm via FreeIPA-users wrote: >> Addig the DNS fixed it. >> Just one more question. Should I be updating the file >> /etc/openldap/ldap.conf to include both masters on the URL line on the >> clients? The only master that was listed there was the first master created. > Hi, > ldap.conf is used to set system-wide defaults for LDAP clients. For instance, > if you run ldapsearch without the -H ldapuri option, ldapsearch will use the > URI read from the config file. If the -H option is provided, it will take > precedence over the config file. > > The ipa CLI doesn't rely on this file to find the server to talk to (anyway, > it doesn't use ldap directly but rather xml rpc or json rpc). It is trying > first the server configured in /etc/ipa/default.conf in the xmlrpc_uri > directive, or the servers found using the ldap DNS SRV records (see the man > page for ipa(1)). So from a purely IPA point of view, no need to update > /etc/openldap/ldap.conf. > > Hope this clarifies, > flo > >> Louis >> -<<—->>- >> Louis Bohm >> louisb...@gmail.com <mailto:louisb...@gmail.com> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>> On Aug 12, 2020, at 7:29 AM, Florence Blanc-Renaud <f...@redhat.com >>> <mailto:f...@redhat.com>> wrote: >>> >>> On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote: >>>> Yes the client was installed not using the —server option. So it looks >>>> like my issue is DNS. We have DNS external to the IPA hosts. Is there a >>>> simple way for me to get a list of all the DNS records that need to be >>>> added to our DNS system from IPA? >>> Yes, please see my 2nd link that mentions ipa dns-update-system-records >>> --dry-run: >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external >>> >>> flo >>> >>>> Louis >>>> -<<—->>- >>>> Louis Bohm >>>> louisb...@gmail.com <mailto:louisb...@gmail.com> >>>> <mailto:louisb...@gmail.com> >>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>>> On Aug 12, 2020, at 5:02 AM, Florence Blanc-Renaud <f...@redhat.com >>>>> <mailto:f...@redhat.com> <mailto:f...@redhat.com>> wrote: >>>>> >>>>> On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote: >>>>>> Environment: >>>>>> 2 IPA Masters running Centos 8 and IPA Server 4.8.0.13 >>>>>> Client running Lentos 8 and IPA Client 4.8.0.13 >>>>>> The masters were setup as MultiMasters (I think I have it correct). >>>>>> If I shutdown the first master (ipa01) so only ipa02 is running then try >>>>>> to login to the client I cannot. Found I needed to add both hosts to the >>>>>> IPA_server line in the SSSD.conf under the domain section to make that >>>>>> work. >>>>>> Now if I try to add a user via the command line on the client I get the >>>>>> following error: >>>>>> ipa: ERROR: cannot connect to 'https://ipa01.bos1.domain.com/ipa/json': >>>>>> [Errno 113] No route to host >>>>>> Do I need to list both IPA servers some where else? If so where? I did >>>>>> try adding both IPA servers on the URL line of openldap.conf (only ipa01 >>>>>> was listed). >>>>> Hi, >>>>> >>>>> you can find more information in "Failover, Load balancing and High >>>>> Availability in IdM" [1] >>>>> >>>>> On the client-side, it depends on how the client was installed. If DNS >>>>> auto-discovery was used (no --server option provided), then sssd.conf >>>>> should contain the keyword _srv_ in the list of configured servers >>>>> (ipa_server= _srv_, ...). In this case, SSSD is using the DNS to find the >>>>> appropriate server, please see sssd-ipa man page, especially the SERVICE >>>>> DISCOVERY section. >>>>> >>>>> This requires the client to use a proper DNS server. If the DNS is >>>>> provided by the IPA servers, make sure that /etc/resolv.conf on the >>>>> client contains ipa01 and ipa02 (otherwise when ipa01 is down, the client >>>>> won't be able to use the DNS). If the DNS is external, make sure that it >>>>> contains the proper records as explained in "Updating DNS records >>>>> systematically when using external DNS" [2] >>>>> >>>>> HTH, >>>>> flo >>>>> >>>>> [1] >>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/load-balancing >>>>> >>>>> [2] >>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-updates-external >>>>>> Louis >>>>>> -<<—->>- >>>>>> Louis Bohm >>>>>> louisb...@gmail.com <mailto:louisb...@gmail.com> >>>>>> <mailto:louisb...@gmail.com> <mailto:louisb...@gmail.com> >>>>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>>>> <https://www.youracclaim.com/badges/f11e0d65-21ad-4458-895b-2c5b5cb11134/public_url> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> To unsubscribe send an email to >>>>>> freeipa-users-le...@lists.fedorahosted.org >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
