On Thu, 24 Sep 2015, Andy Thompson wrote:
-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, September 24, 2015 1:17 AM
To: Andy Thompson <andy.thomp...@e-tcc.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA server failover

On Wed, 23 Sep 2015, Andy Thompson wrote:
>I've got all of my environments setup with two IPA servers.  I'm
>fighting intermittent problems with krb5kdc crashing on them in all of
>my environments and I've opened a ticket with Redhat on that.  What I
>can't figure out though is why the clients will not fail over to the
>second functioning server in the domain
>My sssd.conf files are all pretty generic from the install with minimal
>modification to add a couple settings.
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = mhbe.lin
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = mdhixproddb01.mhbe.lin
>chpass_provider = ipa
>ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
>/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services =
>nss, sudo, pam, ssh config_file_version = 2
>domains = mhbe.lin
>default_shell = /bin/bash
>homedir_substring = /home
>debug_level = 7
>I thought the _srv_  would force it to use dns and both servers are
>round robined when digging the _kerberos records from DNS.  So I don't
>understand why it's not working
ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using
/etc/krb5.conf for hints where to find KDCs.

A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = '
for specific realm would cause Kerberos clients to do DNS discovery using
SRV records.

Here are the contents of my krb conf with everything set to lookup and it 
doesn't appear to be working.

includedir /var/lib/sss/pubconf/krb5.include.d/

 default_realm = MHBE.LIN
 dns_lookup_realm = true
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0

   pkinit_anchors = FILE:/etc/ipa/ca.crt


 .mhbe.lin = MHBE.LIN
 mhbe.lin = MHBE.LIN
I bet you have SSSD supplying you KDC info in
/var/lib/sss/pubconf/kdcinfo.MHBE.LIN via

You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
see details in sssd-krb5(5).
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to