Why does ipa-client-install put "_srv_, <freeipa master>" in the ipa_server line, and not just _srv_ by itself?
I'm running "ipa-client-install --force-join --no-nisdomain -U", and it auto discovers my freeipa servers, but places both _srv_ and the first server under the "ipa_server" line. This results in the first server being listed twice when running "sssctl domain-status".
Is this expected behavior? Is this behavior that I actually want?
Just trying to understand better. Thank you for any insight!
Russell Jones via FreeIPA-users wrote:
I'm running "ipa-client-install --force-join --no-nisdomain -U", and it auto discovers my freeipa servers, but places both _srv_ and the first server under the "ipa_server" line. This results in the first server being listed twice when running "sssctl domain-status".
I think you need to be clearer about what you're seeing.
Is this expected behavior? Is this behavior that I actually want?
Just trying to understand better. Thank you for any insight!
It very well could be a bug in sssd but _srv_ is included so sssd can fall back to other servers discovered using SRV records if the listed master(s) are not reachable.
rob
Hi Rob,
Thanks for the info! Sorry I wasn't clear. Here's some more info about what is happening on my end so that we can verify it's what is actually supposed to happen.
The command that is being ran to bind these nodes to the domain is:
ipa-client-install --force-join --no-nisdomain --domain=<removed> -U -p
<enrollment username> -w <enrollment password>
What I expected to happen: Since I did not pass any fixed servers, the client will depend solely on the SRV records to autodiscover and configure.
What happens: It *does* auto discover and configure, but also places an actual server hostname on the ipa_server line as well.
The downside (if it actually is one?): As a result of this, when I run sssctl domain-status, the server that is listed under ipa_server gets shown twice in the domain status output. Example:
[root@rdhpc-n1 xcatpost]# sssctl domain-status <removed>
Online status: Online Active servers: IPA: freeipa2.<removed> Discovered IPA servers:
- freeipa2.<removed>
- freeipa.<removed>
*- freeipa3.*<removed> *- freeipa3.*<removed>
Here's what my sssd.conf looks like after the above ipa-client-install is ran. Note the existence of both "_srv_" and "freeipa3" on the ipa_server line:
[domain/<removed>l]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <removed> id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = rdhpc-n1.nxcluster chpass_provider = ipa *ipa_server = _srv_, freeipa3.<removed>* dns_discovery_domain = <removed> autofs_provider = ipa ipa_automount_location = default [sssd] services = nss, sudo, pam, autofs, ssh domains = <removed> [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]
On Tue, Jan 28, 2020 at 1:22 PM Rob Crittenden rcritten@redhat.com wrote:
Russell Jones via FreeIPA-users wrote:
I'm running "ipa-client-install --force-join --no-nisdomain -U", and it auto discovers my freeipa servers, but places both _srv_ and the first server under the "ipa_server" line. This results in the first server being listed twice when running "sssctl domain-status".
I think you need to be clearer about what you're seeing.
Is this expected behavior? Is this behavior that I actually want?
Just trying to understand better. Thank you for any insight!
It very well could be a bug in sssd but _srv_ is included so sssd can fall back to other servers discovered using SRV records if the listed master(s) are not reachable.
rob
On 1/29/20 3:54 PM, Russell Jones via FreeIPA-users wrote:
Hi Rob,
Thanks for the info! Sorry I wasn't clear. Here's some more info about what is happening on my end so that we can verify it's what is actually supposed to happen.
The command that is being ran to bind these nodes to the domain is:
ipa-client-install --force-join --no-nisdomain --domain=<removed> -U -p <enrollment username> -w <enrollment password>What I expected to happen: Since I did not pass any fixed servers, the client will depend solely on the SRV records to autodiscover and configure.
What happens: It *does* auto discover and configure, but also places an actual server hostname on the ipa_server line as well.
This behavior didn't change recently. I checked in IPA 3.3 and it was already the case. From sssd-ipa man page this setting seems recommended as it allows to use service discovery whenever possible but also sets a fall-back to the specified server if the discovery is failing.
The downside (if it actually is one?): As a result of this, when I run sssctl domain-status, the server that is listed under ipa_server gets shown twice in the domain status output. Example:
[root@rdhpc-n1 xcatpost]# sssctl domain-status <removed> Online status: Online Active servers: IPA: freeipa2.<removed> Discovered IPA servers: - freeipa2.<removed> - freeipa.<removed> *- freeipa3.*<removed>* - freeipa3.*<removed>
Just a guess on my side but the first occurrence was probably found using discovery and the second using the fixed server name. You should check with sssd users mailing list (sssd-users@lists.fedorahosted.org) if you want a confirmation.
HTH, flo
Here's what my sssd.conf looks like after the above ipa-client-install is ran. Note the existence of both "_srv_" and "freeipa3" on the ipa_server line:
[domain/<removed>l] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <removed> id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = rdhpc-n1.nxcluster chpass_provider = ipa *ipa_server = _srv_, freeipa3.<removed>* dns_discovery_domain = <removed> autofs_provider = ipa ipa_automount_location = default [sssd] services = nss, sudo, pam, autofs, ssh domains = <removed> [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]On Tue, Jan 28, 2020 at 1:22 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Russell Jones via FreeIPA-users wrote: > I'm running "ipa-client-install --force-join --no-nisdomain -U", and it > auto discovers my freeipa servers, but places both _srv_ and the first > server under the "ipa_server" line. This results in the first server > being listed twice when running "sssctl domain-status". I think you need to be clearer about what you're seeing. > Is this expected behavior? Is this behavior that I actually want? > > > Just trying to understand better. Thank you for any insight! It very well could be a bug in sssd but _srv_ is included so sssd can fall back to other servers discovered using SRV records if the listed master(s) are not reachable. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
From sssd-ipa man page this setting seems recommended as it allows to
use service discovery whenever possible but also sets a fall-back to the specified server if the discovery is failing.
Got it. That makes sense, and in that case I won't investigate any further.
It is indeed filling in the two servers due to one being seen from autodiscovery, and the other being manually defined.
Thanks for the insight!
On Wed, Jan 29, 2020 at 11:34 AM Florence Blanc-Renaud flo@redhat.com wrote:
On 1/29/20 3:54 PM, Russell Jones via FreeIPA-users wrote:
Hi Rob,
Thanks for the info! Sorry I wasn't clear. Here's some more info about what is happening on my end so that we can verify it's what is actually supposed to happen.
The command that is being ran to bind these nodes to the domain is:
ipa-client-install --force-join --no-nisdomain --domain=<removed> -U -p <enrollment username> -w <enrollment password>What I expected to happen: Since I did not pass any fixed servers, the client will depend solely on the SRV records to autodiscover and
configure.
What happens: It *does* auto discover and configure, but also places an actual server hostname on the ipa_server line as well.
This behavior didn't change recently. I checked in IPA 3.3 and it was already the case. From sssd-ipa man page this setting seems recommended as it allows to use service discovery whenever possible but also sets a fall-back to the specified server if the discovery is failing.
The downside (if it actually is one?): As a result of this, when I run sssctl domain-status, the server that is listed under ipa_server gets shown twice in the domain status output. Example:
[root@rdhpc-n1 xcatpost]# sssctl domain-status <removed> Online status: Online Active servers: IPA: freeipa2.<removed> Discovered IPA servers: - freeipa2.<removed> - freeipa.<removed> *- freeipa3.*<removed>* - freeipa3.*<removed>Just a guess on my side but the first occurrence was probably found using discovery and the second using the fixed server name. You should check with sssd users mailing list (sssd-users@lists.fedorahosted.org) if you want a confirmation.
HTH, flo
Here's what my sssd.conf looks like after the above ipa-client-install is ran. Note the existence of both "_srv_" and "freeipa3" on the ipa_server line:
[domain/<removed>l] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = <removed> id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = rdhpc-n1.nxcluster chpass_provider = ipa *ipa_server = _srv_, freeipa3.<removed>* dns_discovery_domain = <removed> autofs_provider = ipa ipa_automount_location = default [sssd] services = nss, sudo, pam, autofs, ssh domains = <removed> [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] [secrets] [session_recording]On Tue, Jan 28, 2020 at 1:22 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Russell Jones via FreeIPA-users wrote: > I'm running "ipa-client-install --force-join --no-nisdomain -U", and it > auto discovers my freeipa servers, but places both _srv_ and the first > server under the "ipa_server" line. This results in the firstserver
> being listed twice when running "sssctl domain-status". I think you need to be clearer about what you're seeing. > Is this expected behavior? Is this behavior that I actually want? > > > Just trying to understand better. Thank you for any insight! It very well could be a bug in sssd but _srv_ is included so sssd can fall back to other servers discovered using SRV records if the listed master(s) are not reachable. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Rob Crittenden -
Russell Jones