Hello Everyone,
I've configured IPA Locations for all our sites and added site specific
IPA servers to each one. I've also configured the first few IPA clients
to use only the IPA DNS servers that are in the same location as the
IPA clients.
These are the three pertinant options set on the IPA clients (I left
out the rest):
[
domain/idm.tld.com]
dns_discovery_domain =
idm.tld.com
ipa_server = _srv_,
ala-p1idma02.idm.tld.com
ipa_enable_dns_sites = True
The issue is that when I check which IPA server the IPA client in "ala"
is connected to, it's invariably talking to one that's far away:
~$ ss -t -r state established | grep ldap
0 0 ala-ntp.tld.com:42456 ism-p1idma01.idm.tld.com:ldap
If I restart sssd on the client or on the IPA server it's communicating
with, the client switches to an IPA server that is in its location.
However, after some time, the client once again returns to the old, far
away IPA server.
I've run DNS queries to confirm that location based records are being
returned properly:
~$ dig -t SRV +short
_ldap._tcp.idm.tld.com | sort -k 4,4n
0 100 389
ala-p1idma01.idm.tld.com.
0 100 389
ala-p1idma02.idm.tld.com.
0 100 389
ala-p1idma03.idm.tld.com.
0 100 389
ala-p1idmc01.idm.tld.com.
50 100 389
arn-p1idma01.idm.tld.com.
50 100 389
arn-p1idma02.idm.tld.com.
50 100 389
ctu-p1idma01.idm.tld.com.
50 100 389
ctu-p1idma02.idm.tld.com.
50 100 389
ism-p1idma01.idm.tld.com.
50 100 389
ism-p1idma02.idm.tld.com.
50 100 389
otp-p1idma01.idm.tld.com.
50 100 389
otp-p1idma02.idm.tld.com.
50 100 389
pek-p1idma01.idm.tld.com.
50 100 389
pek-p1idma02.idm.tld.com.
50 100 389
san-p1idma01.idm.tld.com.
50 100 389
san-p1idma02.idm.tld.com.
50 100 389
sel-p1idma01.idm.tld.com.
50 100 389
sel-p1idma02.idm.tld.com.
50 100 389
sjo-p1idma01.idm.tld.com.
50 100 389
sjo-p1idma02.idm.tld.com.
50 100 389
tok-p1idma01.idm.tld.com.
50 100 389
tok-p1idma02.idm.tld.com.
50 100 389
yow-p1idma01.idm.tld.com.
50 100 389
yow-p1idma02.idm.tld.com.
50 100 389
yow-p1idma03.idm.tld.com.
50 100 389
yow-p1idmc01.idm.tld.com.
_ldap._tcp.ala._locations.idm.tld.com.
Note: some clients are not in the same dns domain as the ipa domain.
That's why the config snippet above had the "dns_discovery_domain" set.
What I am I doing incorrectly? Why won't the IPA client machine "stay"
in its location?
--
Ranbir