Hi,

As a side-note, please keep the mailing list in the recipients list.

On Mon, Feb 10, 2025 at 5:40 PM azeem <azeemshoppin...@gmail.com> wrote:

> Hi Florence,
>
> Thanks for the response.
>
> Yes, I have added the new FreeIPA server's hostname in the /etc/hosts
> file, and when I add the new FreeIPA server's IP to /etc/resolv.conf, the
> client is able to discover the new FreeIPA server. However, do I need to
> manually add the new FreeIPA server IP in the /etc/resolv.conf file every
> time I set up a new client? I thought the command:
>
> ipa-client-install --hostname=$(hostname -f) --mkhomedir --server=
> newfreeipa.ipa.testing.com --domain=ipa.testing.com --realm=
> IPA.TESTING.COM
> would automatically discover the FreeIPA server without needing to
> manually add it to the /etc/resolv.conf file.
>

Please read the "Autodiscovery" section of the man page for
ipa-client-install. Autodiscovery means that the installer finds the right
server based on its own domain and the DNS records for _ldap._tcp.$DOMAIN
or _ldap._tcp.$PARENTDOMAIN etc...
The client must be properly configured for DNS otherwise it won't find any
SRV record for _ldap._tcp.$DOMAIN.

As Rafael pointed out, if you use ansible to automate the client
installation, it is possible to have ansible-freeipa automate the DNS setup
for you. If you are using the command-line, the DNS configuration is a
prerequisite.

Hope this clarifies,
flo

>
> Also, when I run this command on the client, before adding the new FreeIPA
> server IP to /etc/resolv.conf:
>
> dig _ldap._tcp.ipa.clear-markets.com SRV
>
> It lists the old FreeIPA servers instead of the new one. This is where I’m
> stuck – it seems like auto-discovery isn’t working unless I explicitly add
> the new FreeIPA server's IP in /etc/resolv.conf.
>
> On Mon, Feb 10, 2025 at 5:36 AM Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
>> Hi,
>>
>> do your clients use the new IPA server as DNS server? This can be done
>> prior to calling ipa-client-install.
>> flo
>>
>> On Fri, Feb 7, 2025 at 5:01 PM azeem via FreeIPA-users <
>> freeipa-users@lists.fedorahosted.org> wrote:
>>
>>> Hello All,
>>>
>>> I have two FreeIPA servers running in AWS—one primary and one
>>> replica—with the DNS entry ipa.testing.com. These servers are running
>>> an older version of FreeIPA on CentOS 7 with expired certificates. I
>>> inherited this setup from a previous admin.
>>>
>>> Since the certificates have expired, I attempted multiple renewal
>>> methods, including rolling back the system time, but nothing worked. As a
>>> solution, I set up a new FreeIPA primary server with the same DNS entry (
>>> ipa.testing.com) and added it to the AWS DHCP configuration alongside
>>> the old servers.
>>> Steps Taken:
>>>
>>>    1.
>>>
>>>    Added the new FreeIPA server to the /etc/hosts 123.234.543
>>>    test.ipa.testing.com test
>>>    2.
>>>
>>>    Installed FreeIPA using the following command:- ipa-server-install
>>>    --setup-dns --allow-zone-overlap
>>>    3.
>>>
>>>    The installation completed successfully. I can log into the UI,
>>>    create users, and manage configurations without issues.
>>>
>>> The Problem:
>>>
>>> When installing a FreeIPA client, it does not auto-discover the new
>>> FreeIPA server unless I explicitly specify it in the command:
>>>
>>> ipa-client-install --hostname=$(hostname -f) --mkhomedir 
>>> --server=newfreeipa.ipa.testing.com --domain=ipa.testing.com 
>>> --realm=IPA.TESTING.COM
>>>
>>> Without the --server parameter, auto-discovery fails.
>>>
>>> Additionally, after successfully enrolling two clients (client-a and
>>> client-b), I am unable to resolve their hostnames between them. When I
>>> attempt to ping client-a from client-b, I receive:
>>>
>>> Name or service not known
>>>
>>> What am I missing?
>>>
>>>    -
>>>
>>>    Why isn’t the client auto-discovering the new FreeIPA server?
>>>    -
>>>
>>>    Why can’t the clients resolve each other’s hostnames after
>>>    enrollment?
>>>    -
>>>
>>>    Is there anything I need to adjust in DNS or DHCP to ensure proper
>>>    resolution and discovery?
>>>
>>> Any help would be greatly appreciated! Thanks in advance.
>>> --
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>> Do not reply to spam, report it:
>>> https://pagure.io/fedora-infrastructure/new_issue
>>>
>>
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to