On 09/06/2012 10:40 AM, Michael Mercier wrote:
> Hello,
>
> I have experienced some odd connectivity issues using MMR with FreeIPA (all 
> systems CentOS 6.3).  I have 2 ipa servers (ipaserver / ipaserver2) setup 
> using MMR.
>
> [root@ipaserver ~]#ipa-replica-manage list
> ipaserver.mpls.local: master
> ipaserver2.mpls.local: master
> [root@ipaserver ~]# rpm -qa|grep ipa
> libipa_hbac-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
>
>
> [root@ipaserver2 ~]#ipa-replica-manage list
> ipaserver.mpls.local: master
> ipaserver2.mpls.local: master
> [root@ipaserver2 ~]# rpm -qa|grep ipa
> ipa-client-2.2.0-16.el6.x86_64
> ipa-server-2.2.0-16.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
> libipa_hbac-1.8.0-32.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
>
> [mike@ipaclient ~]$ rpm -qa|grep ipa
> ipa-admintools-2.2.0-16.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
> libipa_hbac-1.8.0-32.el6.x86_64
>
>
> I have a webserver (zenoss) using kerberos authentication.  
>
> [root@zenoss ~]# rpm -qa|grep ipa
> libipa_hbac-1.8.0-32.el6.x86_64
> libipa_hbac-python-1.8.0-32.el6.x86_64
> ipa-python-2.2.0-16.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> ipa-admintools-2.2.0-16.el6.x86_64
>
> <Location />
>    SSLRequireSSL
>    AuthType Kerberos
>    AuthName "Kerberos Login"
>
>    KrbMethodK5Passwd Off
>    KrbAuthRealms MPLS.LOCAL
>    KrbSaveCredentials on
>    KrbServiceName HTTP
>    Krb5KeyTab /etc/http/conf.d/http.keytab
>
>    AuthLDAPUrl "ldap://ipaserver.mpls.local 
> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
>    RequestHeader set X_REMOTE_USER %{remoteUser}e
>    require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
> </Location>
>
>
> With both ipaserver and ipaserver2 'up', if I connect to 
> https://zenoss.mpls.local from ipaclient using firefox, I am successfully 
> connected.  If on ipaserver I do a 'ifdown eth0' and attempt another 
> connection, it fails.  I have also noticed the following:
>
> 1. I am unable to use the ipaserver2 management interface when ipaserver is 
> unavailable.
> 2. It takes a longer period of time to do a kinit
>
> If the I then perform:
> [root@ipaserver ~]#ifup eth0
>
> [root@ipaserver2 ~]#ifdown eth0
>
> [mike@ipaclient ~]$kinit 
> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial 
> credentials
>
> [root@ipaserver2 ~]#ifup eth0
>
> [mike@ipaclient ~]$ kinit
> Password for mike@MPLS.LOCAL: 
> [mike@ipaclient ~]$
>
> [root@ipaserver2 ~]#ifdown eth0
>
> .. wait number of minutes
>
> ipaclient screen locks - type password - after a short delay (~7 seconds) 
> screen unlock compeletes
>
> [mike@ipaclient ~]$kinit
> Password for mike@MPLS.LOCAL: 
> [mike@ipaclient ~]$
>
> Any ideas?
>
> Thanks,
> Mike

This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.

Please check your dns setup and krb5.conf on the client.

To help more we need more details about you client configuration DNS and
kerberos.

>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to