Description of problem: With this records in DNS: ipa-client-rhel5.test.mydomain:~ # host -t srv _kerberos._tcp.mydomain _kerberos._tcp.mydomain has SRV record 0 100 88 ipa01.mydomain. _kerberos._tcp.mydomain has SRV record 0 100 88 ipa02.mydomain. ipa-client-rhel5.test.mydomain:~ # host -t srv _kpasswd._tcp.mydomain _kpasswd._tcp.mydomain has SRV record 0 100 464 ipa01.mydomain. _kpasswd._tcp.mydomain has SRV record 0 100 464 ipa02.mydomain. ipa-client-rhel5.test.mydomain:~ # host -t srv _ldap._tcp.mydomain _ldap._tcp.mydomain has SRV record 0 100 389 ipa01.mydomain. _ldap._tcp.mydomain has SRV record 0 100 389 ipa02.mydomain. the following sssd.conf works: --- /etc/sssd/sssd.conf --- [sssd] config_file_version = 2 services = nss, pam debug_level = 3 domains = mydomain [domain/mydomain] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-rhel5.test.mydomain chpass_provider = ipa ipa_server = _srv_ ldap_tls_cacert = /etc/ipa/ca.crt dns_discovery_domain = mydomain --- /etc/sssd/sssd.conf --- But, with the default behaviour after the ipa-client-install script run, the ipa_server field in sssd.conf is changed to: ipa_server = _srv_, ipa01.mydomain and, in this case DNS Failover based on SRV records is not working any more. ipa01.mydomain is always used. Version-Release number of selected component (if applicable): $ cat etc/redhat-release Red Hat Enterprise Linux Server release 5.8 (Tikanga) ipa-client-2.1.3-2.el5_8.x86_64 libipa_hbac-1.5.1-49.el5_8.1.x86_64 sssd-1.5.1-49.el5_8.1.x86_64 sssd-client-1.5.1-49.el5_8.1.x86_64 How reproducible: According to the client reports, always. Steps to Reproduce: 1. Verify that the ipa_server field only uses SRV records. Test which server is used, and verify that both in SRV records are used. 2. Run ipa-client-install script 3. Check the changes in field ipa_server of /etc/sssd/sssd.conf and test again. Verify that only the fixed IPA server is used. Actual results: The client is always served by ipa01.mydomain Expected results: Using SRV records, the client should also be served by ipa02.mydomain Additional info: This looks a lot like this bug: Unable to resolve SRV record when called with _srv_,<fixed ldap uri> in ldap_uri https://bugzilla.redhat.com/show_bug.cgi?id=695476
Please put debug_level=10 into the [domain/mydomain] section, restart the SSSD and attach the file /var/log/sssd/sssd_mydomain.log