On Thu, 24 Sep 2015, Andy Thompson wrote:
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, September 24, 2015 1:17 AM
To: Andy Thompson <andy.thomp...@e-tcc.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA server failover
On Wed, 23 Sep 2015, Andy Thompson wrote:
>I've got all of my environments setup with two IPA servers. I'm
>fighting intermittent problems with krb5kdc crashing on them in all of
>my environments and I've opened a ticket with Redhat on that. What I
>can't figure out though is why the clients will not fail over to the
>second functioning server in the domain
>
>My sssd.conf files are all pretty generic from the install with minimal
>modification to add a couple settings.
>
>[domain/mhbe.lin]
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = mhbe.lin
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = mdhixproddb01.mhbe.lin
>chpass_provider = ipa
>ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
>/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services =
>nss, sudo, pam, ssh config_file_version = 2
>
>domains = mhbe.lin
>[nss]
>default_shell = /bin/bash
>homedir_substring = /home
>debug_level = 7
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>I thought the _srv_ would force it to use dns and both servers are
>round robined when digging the _kerberos records from DNS. So I don't
>understand why it's not working
ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using
/etc/krb5.conf for hints where to find KDCs.
A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = '
for specific realm would cause Kerberos clients to do DNS discovery using
SRV records.
Here are the contents of my krb conf with everything set to lookup and it
doesn't appear to be working.
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = MHBE.LIN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
MHBE.LIN = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mhbe.lin = MHBE.LIN
mhbe.lin = MHBE.LIN
I bet you have SSSD supplying you KDC info in
/var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
see details in sssd-krb5(5).
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
