I've got a setup with a primary and replica FreeIPA server and a number of clients. When taking the primary server down briefly for an OS upgrades, everything became really slow. To simulate this, I tried blocking the primary server in a firewall rule on a test client with the same results.
Is it not supposed to just automatically switch over to talking to the replica instead? ipa hostgroup-show ipaservers lists both servers. /etc/ipa/default.conf on the clients does only list the primary server. Is there a quick way to switch dozens of clients to the replica in a single step? And if not, short of uninstalling and reinstalling IPA on a client how do I safely move it to a replica. In general, is it unwise to balance load by distributing clients across the two servers – I'd assume that would be sensible. I'm using ansible-freeipa to install and deploy FreeIPA.
If I remember correctly,
ipa-client-installcreatesipa_serverentry insssd.confwhich lists one of the servers first (the one used during client installation) and_srv_as the second (this entry allows sssd to autodiscover the server).If the listed server is taken off, it still may be tried before falling back to service discovery.
You may consider commenting out or removing that line, restarting
sssdand checking if this helps.