From Fedora Project Wiki


Instaling clients with preferred servers with fixed addresses.

An IPA client normally uses DNS to find a server to communicate with, and only if that server is unreachable, it falls back to the specific server it was installed with. This provides automatic discovery and load balancing when replicas are added or deleted. However, sometimes it is preferable to prefer a specific server. IPA 3.0 provides an option to do this.


  1. Install an IPA server as described in QA:Testcase_freeipav3_installation.
  2. Optionally, install some replicas as shown in QA:Testcase_freeipav3_replication.

How to test

Install the client

First, install the client RPMs:

# yum install freeipa-client

Then, install the client:

# ipa-client-install --fixed-primary --domain --server -p admin -w secret123

If you have many replicas, you can use multiple --server options. For this test, omit one of your servers from the list. For example if you have,, and, run:

# ipa-client-install --fixed-primary --domain --server --server -p admin -w secret123

Verifying installation

When the install is done, verify that IPA is working, for example by getting information about the admin and getting a ticket:

# id admin
# getent passwd admin
# kinit admin

Check /etc/sssd/sssd.conf. The ipa_server option should have the name of the server(s), and there should be no '_srv_' entry.

Check that unspecified replicas are not contacted

On one of your IPA servers, add a user to test with:

# ipa user-add --first=Glen --last=Jones gjones

On all masters you've configured your client with, run the following to stop them:

# ipactl stop

Verify that the client is not functioning:

# kinit admin
kinit: Cannot contact any KDC for realm 'IPA.EXAMPLE.ORG' while getting initial credentials
# id gjones
id: gjones: no such user

Then, start one of the servers again:

# ipactl start  # on a server

And on the client, verify it is functioning again:

# kinit admin  # you will be able to log in
# id gjones
uid=371600001(gjones) gid=371600001(gjones) groups=371600001(gjones)

Remove the client

When you are done with the client, uninstall it:

# ipa-client-install --uninstall

Expected Results

All the test steps should end successfully with the specified results.