Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
Thanx for the feedback So if the replica is similar to the primary ,if the primary gets completely fried , without automatic failover ,i can reconfigure my clients to point to the new replica server without issues ??? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Nathan Kinder [nkin...@redhat.com] Sent: Saturday, April 11, 2015 4:57 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS On 04/10/2015 06:54 PM, Martin Chamambo wrote: Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
Martin Chamambo wrote: Thanx for the feedback So if the replica is similar to the primary ,if the primary gets completely fried , without automatic failover ,i can reconfigure my clients to point to the new replica server without issues ??? If you use DNS SRV records then in the short term all you need to do is drop fried server from the list of SRV records and move on. In the short to medium term on the clients you'd want to check /etc/ipa/default.conf and /etc/sssd/sssd.conf for references to that dearly departed server and replace them with another server. You'll also want to terminate any replication agreements with it on any other masters otherwise changes will accumulate. The only difference between the very first master you install and all the others is that first one generates the CRL and manages CA renewal. See https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master I should mention that unless a master has actually created a user or group it has no DNA configuration so has no range of values to assign to POSIX users/groups. A clone is installed initially without a range and it fetches one the first time it needs it, from the master that created it. Of course, if that master is gone then problems ensure. rob From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Nathan Kinder [nkin...@redhat.com] Sent: Saturday, April 11, 2015 4:57 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS On 04/10/2015 06:54 PM, Martin Chamambo wrote: Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS
On 04/10/2015 06:54 PM, Martin Chamambo wrote: Good day I have a freeipa primary server working as i wanted , no complex stuff has been setup yet except the basic service and sudo controls which is fine by me. I have also setup a replica from the primary. the dns server is running from a different platform so basically the 2 servers query a DNS server on onother server to resolve their names. my questions is as follows: when primary server fails , does the replica automatically assume the position of the primary [and please note that replication is also working as expected] The replica is no different from the primary master, aside from being responsible for CRL generation. Failover really depends on how your clients are configured. If you are using SSSD, you should look at the 'FAILOVER' section in the 'sssd-ipa' man page for a details on how it works and how it is configured. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
