On Wed, 23 Sep 2015, Andy Thompson wrote:
I've got all of my environments setup with two IPA servers.  I'm
fighting intermittent problems with krb5kdc crashing on them in all of
my environments and I've opened a ticket with Redhat on that.  What I
can't figure out though is why the clients will not fail over to the
second functioning server in the domain

My sssd.conf files are all pretty generic from the install with minimal
modification to add a couple settings.

[domain/mhbe.lin]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mhbe.lin
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = mdhixproddb01.mhbe.lin
chpass_provider = ipa
ipa_server = _srv_, mdhixprodipa01.mhbe.lin
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
default_domain_suffix = mhbe.local
services = nss, sudo, pam, ssh
config_file_version = 2

domains = mhbe.lin
[nss]
default_shell = /bin/bash
homedir_substring = /home
debug_level = 7
[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

I thought the _srv_  would force it to use dns and both servers are
round robined when digging the _kerberos records from DNS.  So I don't
understand why it's not working
ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are
using /etc/krb5.conf for hints where to find KDCs.

A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing
'kdc = ' for specific realm would cause Kerberos clients to do DNS
discovery using SRV records.

If multiple 'kdc = ...' values are specified in the realm definition,
Kerberos clients will fall over to the next one in the list in case of a
failure.
When ipa-client-install is run, we configure krb5.conf without explicit
KDCs if DNS discovery of Kerberos was successful which should take care
of SRV record-based discovery of KDCs.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to