David Harvey via FreeIPA-users wrote: > Hi FreeIPA users, > > I nested this under a related topic before (subject: Replica > re-initialization failing Replication bind with GSSAPI auth failed: LDAP > error 49 (Invalid credentials) () ) but it was admittedly a bit off topic... > > Is configuring resolv.conf with the single resolver 127.0.0.1 the > blessed / recommended setup?
Yes, if the IPA server has the DNS service configured. Both bind and the KDC are configured to communicate with 389-ds over an ldapi socket so name lookups should not be an issue during startup. If 389-ds doesn't start then nothing will work. > We've had some chicken and egg situations recently where dirsrv being > sad has broken local DNS resolution, and then krb behaviours and lookup > for the other IPA servers has been impaired as a result. Each IPA server will only communicate with itself with the exception of replication. 389-ds is the heart of IPA. If that isn't running then the server is basically dead even if other services have started. In this case DNS resolution is the least of your troubles. > If solely using local bind / loopback in resolv.conf is the recommended > state, should we be putting the other IPA servers in /etc/hosts or > anything to make sure they can identify one and other in the case of > dirsrv sadness? You can but it likely won't do much. Having the local server in /etc/hosts is probably a good idea but I'm ambivalent about storing the others. It could become whack-a-mole as servers come and go and trying to keep the hosts file correct and in sync with the others. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
