Hi and sorry for late reply, I've been ill and then lots of work waited
for me ;)

I tried to further debug the issue and I was able to make it work by
adding the second ipa server also to directives ldap_uri and krb5_server
(it was probably my mistake to put it only to ipa_server) - of course in

Here is my working /etc/sssd/sssd.conf in case anyone finds it useful
(or someone has a comment - feel free to tell me how to make things better):


cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = kajot.cz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = <<<SERVER NAME>>>
chpass_provider = ipa
ipa_server = id1.kajot.cz, id2.kajot.cz

# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz
ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/redmine.kajot.cz
ldap_sasl_realm = KAJOT.CZ
krb5_server = id1.kajot.cz, id2.kajot.cz

ldap_sudo_smart_refresh_interval = 120
ldap_sudo_full_refresh_interval = 300

services = nss, pam, ssh, sudo
config_file_version = 2

domains = kajot.cz







