pgb 205 via FreeIPA-users writes: > Here is the log that I sent in yesterday. With server1 and server2 > down, but server3 up. > > kdc=server1 > kdc=server2 > kdc=server3 > kdc_master=server1 > kdc_master=server2 > kdc_master=server3
kdc_master isn't a valid directive for krb5.conf (we call it master_kdc). Can you show your entire krb5.conf, including [realms] and [libdefaults] sections? > kinit tries server1 and server2 but never even attempts server3 > KRB5_TRACE=/dev/stdout kinit user(a)test.domain I assume "(a)" is standing in for '@'? > [12536] 1501112935.251721: Getting initial credentials for user(a)test.domain > [12536] 1501112935.251917: Sending request (181 bytes) to test.domain > [12536] 1501112935.251956: Resolving hostname server1 > [12536] 1501112935.252875: Sending initial UDP request to dgram server1_ip:88 > [12536] 1501112936.253962: Resolving hostname server2 > [12536] 1501112936.255680: Retrying AS request with master KDC Alright, so something spooks krb5 here, it looks like. I need to see the whole krb5.conf to have a better idea, but: - is udp_preference_limit set? - is one of these configured for KKDCP? - is the DNS for server2 weird in some way? - same question but for server3? Can you tell me what the OS/Kerberos versions are for server1, server2, and server3? Also the OS/krb5 version/sssd version for the client you're using. > [12536] 1501112936.255699: Getting initial credentials for user(a)test.domain > [12536] 1501112936.255763: Sending request (181 bytes) to test.domain (master) > [12536] 1501112936.255779: Resolving hostname server1 > [12536] 1501112936.256379: Sending initial UDP request to dgram server1_ip:88 > [12536] 1501112937.257451: Resolving hostname server2 > kinit: Invalid argument while getting initial credentials Yeah, I suspect getaddrinfo() returns something weird for server2. If you can, I'd suggest getting the return values from it; if you're not comfortable doing that, I can bake you a shim that'll print out that information. > kinit with following configuration will work, however. > kdc=server1 > kdc=server2 > kdc=server3 > kdc_master=server1 > # kdc_master=server2 > kdc_master=server3 See above; as written this isn't different from the configuration above (krb5 will ignore lines it doesn't recognize). Assuming you meant "master_kdc" there: this presumably because is because it never retries server2 after switching to querying masters, and instead goes on to server3. Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
