[Freeipa-users] Re: Not possible to find KDC with Autodiscovery

Wed, 16 Feb 2022 07:15:08 -0800 

You might not be able to auto-discover the realm (dns_lookup_realm = true).

Have you tried manually configuring DOMAIN.NET?




[libdefaults]
  default_realm = DOMAIN.NET
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DOMAIN.NET = {
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }

[domain_realm]
  .domain.net = DOMAIN.NET
  domain.net = DOMAIN.NET
  client1.domain.net = DOMAIN.NET




On 2/16/22 10:09 AM, David Galarreta via FreeIPA-users wrote:

Hello!
we get the next error when we try to create a kerberos ticket:
kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial credentials

/etc/krb5.conf:
[libdefaults]
   default_realm = TEST.INTERN
   dns_lookup_realm = true
   dns_lookup_kdc = true
   rdns = false
   dns_canonicalize_hostname = false
   ticket_lifetime = 24h
   forwardable = true
   udp_preference_limit = 0
   default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  TEST.INTERN = {
     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
   }
[domain_realm]
   .domain.net = TEST.INTERN
   domain.net = TEST.INTERN
   client1.domain.net = TEST.INTERN

The DNS Record from FreeIPA for Autodiscover are working. if I add kdc = 
ipaserver.domain.net  > I get the kerberos Ticket. But we want to use 
autodiscovery for failover. So we do not want to add the sever address on every 
client.

Do you have some Idea? Thanks
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure



_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to