Hi, As a side-note, please keep the mailing list in the recipients list.
On Mon, Feb 10, 2025 at 5:40 PM azeem <azeemshoppin...@gmail.com> wrote: > Hi Florence, > > Thanks for the response. > > Yes, I have added the new FreeIPA server's hostname in the /etc/hosts > file, and when I add the new FreeIPA server's IP to /etc/resolv.conf, the > client is able to discover the new FreeIPA server. However, do I need to > manually add the new FreeIPA server IP in the /etc/resolv.conf file every > time I set up a new client? I thought the command: > > ipa-client-install --hostname=$(hostname -f) --mkhomedir --server= > newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm= > IPA.TESTING.COM > would automatically discover the FreeIPA server without needing to > manually add it to the /etc/resolv.conf file. > Please read the "Autodiscovery" section of the man page for ipa-client-install. Autodiscovery means that the installer finds the right server based on its own domain and the DNS records for _ldap._tcp.$DOMAIN or _ldap._tcp.$PARENTDOMAIN etc... The client must be properly configured for DNS otherwise it won't find any SRV record for _ldap._tcp.$DOMAIN. As Rafael pointed out, if you use ansible to automate the client installation, it is possible to have ansible-freeipa automate the DNS setup for you. If you are using the command-line, the DNS configuration is a prerequisite. Hope this clarifies, flo > > Also, when I run this command on the client, before adding the new FreeIPA > server IP to /etc/resolv.conf: > > dig _ldap._tcp.ipa.clear-markets.com SRV > > It lists the old FreeIPA servers instead of the new one. This is where I’m > stuck – it seems like auto-discovery isn’t working unless I explicitly add > the new FreeIPA server's IP in /etc/resolv.conf. > > On Mon, Feb 10, 2025 at 5:36 AM Florence Blanc-Renaud <f...@redhat.com> > wrote: > >> Hi, >> >> do your clients use the new IPA server as DNS server? This can be done >> prior to calling ipa-client-install. >> flo >> >> On Fri, Feb 7, 2025 at 5:01 PM azeem via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> Hello All, >>> >>> I have two FreeIPA servers running in AWS—one primary and one >>> replica—with the DNS entry ipa.testing.com. These servers are running >>> an older version of FreeIPA on CentOS 7 with expired certificates. I >>> inherited this setup from a previous admin. >>> >>> Since the certificates have expired, I attempted multiple renewal >>> methods, including rolling back the system time, but nothing worked. As a >>> solution, I set up a new FreeIPA primary server with the same DNS entry ( >>> ipa.testing.com) and added it to the AWS DHCP configuration alongside >>> the old servers. >>> Steps Taken: >>> >>> 1. >>> >>> Added the new FreeIPA server to the /etc/hosts 123.234.543 >>> test.ipa.testing.com test >>> 2. >>> >>> Installed FreeIPA using the following command:- ipa-server-install >>> --setup-dns --allow-zone-overlap >>> 3. >>> >>> The installation completed successfully. I can log into the UI, >>> create users, and manage configurations without issues. >>> >>> The Problem: >>> >>> When installing a FreeIPA client, it does not auto-discover the new >>> FreeIPA server unless I explicitly specify it in the command: >>> >>> ipa-client-install --hostname=$(hostname -f) --mkhomedir >>> --server=newfreeipa.ipa.testing.com --domain=ipa.testing.com >>> --realm=IPA.TESTING.COM >>> >>> Without the --server parameter, auto-discovery fails. >>> >>> Additionally, after successfully enrolling two clients (client-a and >>> client-b), I am unable to resolve their hostnames between them. When I >>> attempt to ping client-a from client-b, I receive: >>> >>> Name or service not known >>> >>> What am I missing? >>> >>> - >>> >>> Why isn’t the client auto-discovering the new FreeIPA server? >>> - >>> >>> Why can’t the clients resolve each other’s hostnames after >>> enrollment? >>> - >>> >>> Is there anything I need to adjust in DNS or DHCP to ensure proper >>> resolution and discovery? >>> >>> Any help would be greatly appreciated! Thanks in advance. >>> -- >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >>
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue