Hello !

We are using freeipa version 3 and we are encountering a problem in our
We have one master kdc and two replicas.

On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

 default_realm = <MYREALM>
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

  <MYREALM> = {
    kdc = host1.<mydomain>:88
    kdc = host2.<mydomain>:88
    kdc = host3.<mydomain>:88
    master_kdc = host2.<mydomain>:88
    admin_server = host2.<mydomain>:749
    default_domain <mydomain>
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  .<mydomain> = <MYREALM>
  <mydomain> = <MYREALM>
  .<myrealm> = <MYREALM>
  <myrealm> = <MYREALM>

host1 is a physical machine
host2 and host3 are VM.

So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?

Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?

Q3. Does the two last lines make sense ? I mean what is the exact usage of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?

Thank you in advance for your answers.

Best regards.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to