Dear experts,
I have configured a FreeIPA server + a FreeIPA replica, which can work in expectation. But now when I am coming to configure the Client, how to specify the option --server for the ipa-client-install?
Since FreeIPA are working in the mode of master + replica, I think when we are configuring the client, we need to specify a "logical" server, otherwise, how to implement the failover?
Appreciated for your hints Kind Regards, Wenxing
I happened to find the online manuals on the ipa-client-install with the followings: *--server*=*SERVER*Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf. Only the first value is considered when used with --no-sssd.
It's different from the help from command line, :(.
On Mon, Jun 5, 2017 at 5:08 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
Dear experts,
I have configured a FreeIPA server + a FreeIPA replica, which can work in expectation. But now when I am coming to configure the Client, how to specify the option --server for the ipa-client-install?
Since FreeIPA are working in the mode of master + replica, I think when we are configuring the client, we need to specify a "logical" server, otherwise, how to implement the failover?
Appreciated for your hints Kind Regards, Wenxing
Hello,
When you specify --help to a script, you usually get a brief description of its options. Try `man ipa-client-install` instead ;)
Standa
On 06/05/2017 11:13 AM, wenxing zheng via FreeIPA-users wrote:
I happened to find the online manuals on the ipa-client-install with the followings: *--server*=/SERVER/ Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf. Only the first value is considered when used with --no-sssd.
It's different from the help from command line, :(.
On Mon, Jun 5, 2017 at 5:08 PM, wenxing zheng <wenxing.zheng@gmail.com mailto:wenxing.zheng@gmail.com> wrote:
Dear experts, I have configured a FreeIPA server + a FreeIPA replica, which can work in expectation. But now when I am coming to configure the Client, how to specify the option --server for the ipa-client-install? Since FreeIPA are working in the mode of master + replica, I think when we are configuring the client, we need to specify a "logical" server, otherwise, how to implement the failover? Appreciated for your hints Kind Regards, Wenxing
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Standa Laznicka via FreeIPA-users wrote:
Hello,
When you specify --help to a script, you usually get a brief description of its options. Try `man ipa-client-install` instead ;)
For HA you really don't want to use the --server option but to instead rely on DNS discovery via SRV records.
rob
Standa
On 06/05/2017 11:13 AM, wenxing zheng via FreeIPA-users wrote:
I happened to find the online manuals on the ipa-client-install with the followings: *--server*=/SERVER/ Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf. Only the first value is considered when used with --no-sssd.
It's different from the help from command line, :(.
On Mon, Jun 5, 2017 at 5:08 PM, wenxing zheng <wenxing.zheng@gmail.com mailto:wenxing.zheng@gmail.com> wrote:
Dear experts, I have configured a FreeIPA server + a FreeIPA replica, which can work in expectation. But now when I am coming to configure the Client, how to specify the option --server for the ipa-client-install? Since FreeIPA are working in the mode of master + replica, I think when we are configuring the client, we need to specify a "logical" server, otherwise, how to implement the failover? Appreciated for your hints Kind Regards, Wenxing
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Thanks to Rob.
Can you help to shed more lights on how to configure the SRV records for auto discovery?
On Tue, Jun 6, 2017 at 3:47 AM, Rob Crittenden rcritten@redhat.com wrote:
Standa Laznicka via FreeIPA-users wrote:
Hello,
When you specify --help to a script, you usually get a brief description of its options. Try `man ipa-client-install` instead ;)
For HA you really don't want to use the --server option but to instead rely on DNS discovery via SRV records.
rob
Standa
On 06/05/2017 11:13 AM, wenxing zheng via FreeIPA-users wrote:
I happened to find the online manuals on the ipa-client-install with the followings: *--server*=/SERVER/ Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf. Only the first value is considered when used with --no-sssd.
It's different from the help from command line, :(.
On Mon, Jun 5, 2017 at 5:08 PM, wenxing zheng <wenxing.zheng@gmail.com mailto:wenxing.zheng@gmail.com> wrote:
Dear experts, I have configured a FreeIPA server + a FreeIPA replica, which can work in expectation. But now when I am coming to configure the Client, how to specify the option --server for theipa-client-install?
Since FreeIPA are working in the mode of master + replica, I think when we are configuring the client, we need to specify a "logical" server, otherwise, how to implement the failover? Appreciated for your hints Kind Regards, Wenxing
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
Hello
Can you help to shed more lights on how to configure the SRV records for auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both with embedded DNS. I have 2 server addresses: freeipa-server.dataservice.net and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to specify the "--server" option? or it can automatically figure out the server via the DNS resolver?
Thanks, Wenxing
On Mon, Jun 12, 2017 at 6:36 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Can you help to shed more lights on how to configure the SRV records for auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
Hello
Try to run below commands on your IPA client & point resolv.conf to IPA server & IPA client
# dig srv _ldap._tcp.dataservice.net # dig srv _kerberos._tcp.dataservice.net # dig srv _kpasswd._tcp.dataservice.net
If they return your IPA servers, It can automatically figure out your IPA servers using DNS resolver
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:17 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both with embedded DNS. I have 2 server addresses: freeipa-server.dataservice.net and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to specify the "--server" option? or it can automatically figure out the server via the DNS resolver?
Thanks, Wenxing
On Mon, Jun 12, 2017 at 6:36 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Can you help to shed more lights on how to configure the SRV records for auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
so we can safely ignore the --server option for the ipa-client-install? but the --domain and --realm are mandatory?
Many thanks to Arpit.
On Mon, Jun 12, 2017 at 6:51 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Try to run below commands on your IPA client & point resolv.conf to IPA server & IPA client
# dig srv _ldap._tcp.dataservice.net # dig srv _kerberos._tcp.dataservice.net # dig srv _kpasswd._tcp.dataservice.net
If they return your IPA servers, It can automatically figure out your IPA servers using DNS resolver
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:17 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both with embedded DNS. I have 2 server addresses:
freeipa-server.dataservice.net
and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to specify the "--server" option? or it can automatically figure out the
server
via the DNS resolver?
Thanks, Wenxing
On Mon, Jun 12, 2017 at 6:36 PM, Arpit Tolani arpittolani@gmail.com
wrote:
Hello
Can you help to shed more lights on how to configure the SRV records
for
auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
Hello
I am sorry, I am not sure but if your client hostname is within correct domain, I think you dont need to give domain & realm.
like your IPA domain & realm is dataservice.net & your client hostname is system2.dataservice.net, I think it will take it automatically, Someone else can confirm.
Please test this locally.
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:25 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
so we can safely ignore the --server option for the ipa-client-install? but the --domain and --realm are mandatory?
Many thanks to Arpit.
On Mon, Jun 12, 2017 at 6:51 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Try to run below commands on your IPA client & point resolv.conf to IPA server & IPA client
# dig srv _ldap._tcp.dataservice.net # dig srv _kerberos._tcp.dataservice.net # dig srv _kpasswd._tcp.dataservice.net
If they return your IPA servers, It can automatically figure out your IPA servers using DNS resolver
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:17 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both with embedded DNS. I have 2 server addresses: freeipa-server.dataservice.net and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to specify the "--server" option? or it can automatically figure out the server via the DNS resolver?
Thanks, Wenxing
On Mon, Jun 12, 2017 at 6:36 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Can you help to shed more lights on how to configure the SRV records for auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
I have done a simple verification without the option "--server" with embedded DNS, it works.
Thanks to all
On Mon, Jun 12, 2017 at 7:00 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
I am sorry, I am not sure but if your client hostname is within correct domain, I think you dont need to give domain & realm.
like your IPA domain & realm is dataservice.net & your client hostname is system2.dataservice.net, I think it will take it automatically, Someone else can confirm.
Please test this locally.
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:25 PM, wenxing zheng wenxing.zheng@gmail.com wrote:
so we can safely ignore the --server option for the ipa-client-install?
but
the --domain and --realm are mandatory?
Many thanks to Arpit.
On Mon, Jun 12, 2017 at 6:51 PM, Arpit Tolani arpittolani@gmail.com
wrote:
Hello
Try to run below commands on your IPA client & point resolv.conf to IPA server & IPA client
# dig srv _ldap._tcp.dataservice.net # dig srv _kerberos._tcp.dataservice.net # dig srv _kpasswd._tcp.dataservice.net
If they return your IPA servers, It can automatically figure out your IPA servers using DNS resolver
Regards Arpit Tolani
On Mon, Jun 12, 2017 at 4:17 PM, wenxing zheng <wenxing.zheng@gmail.com
wrote:
I setup a IPA server: freeipa-server and a replica: freeipa-replica, both with embedded DNS. I have 2 server addresses: freeipa-server.dataservice.net and freeipa-replica.dataservice.net.
When I am configuring the IPA client using the ipa-client-install, how to specify the "--server" option? or it can automatically figure out the server via the DNS resolver?
Thanks, Wenxing
On Mon, Jun 12, 2017 at 6:36 PM, Arpit Tolani arpittolani@gmail.com wrote:
Hello
Can you help to shed more lights on how to configure the SRV
records
for auto discovery?
When ipa-server is setup with embedded DNS (using --setup-dns ) SRV records are automatically added in IPA.
If its external DNS server, You need to add records something like this in your DNS server.
_ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver1.example.com. _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kerberos._udp.example.com. 86400 IN SRV 0 100 88 ipaserver1.example.com. _kpasswd._tcp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com. _kpasswd._udp.example.com. 86400 IN SRV 0 100 464 ipaserver1.example.com.
After this client will auto discover IPA server which is providing LDAP & Kerberos information.
Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
-- Thanks & Regards Arpit Tolani
freeipa-users@lists.fedorahosted.org
-
Arpit Tolani -
Rob Crittenden -
Standa Laznicka -
wenxing zheng