> -----Original Message----- > From: [email protected] [mailto:freeipa-users- > [email protected]] On Behalf Of Petr Spacek > Sent: Thursday, September 24, 2015 9:50 AM > To: [email protected] > Subject: Re: [Freeipa-users] IPA server failover > > On 24.9.2015 15:29, Alexander Bokovoy wrote: > > On Thu, 24 Sep 2015, Andy Thompson wrote: > >>> -----Original Message----- > >>> From: Alexander Bokovoy [mailto:[email protected]] > >>> Sent: Thursday, September 24, 2015 1:17 AM > >>> To: Andy Thompson <[email protected]> > >>> Cc: [email protected] > >>> Subject: Re: [Freeipa-users] IPA server failover > >>> > >>> On Wed, 23 Sep 2015, Andy Thompson wrote: > >>> >I've got all of my environments setup with two IPA servers. I'm > >>> >fighting intermittent problems with krb5kdc crashing on them in all > >>> >of my environments and I've opened a ticket with Redhat on that. > >>> >What I can't figure out though is why the clients will not fail > >>> >over to the second functioning server in the domain > >>> > > >>> >My sssd.conf files are all pretty generic from the install with > >>> >minimal modification to add a couple settings. > >>> > > >>> >[domain/mhbe.lin] > >>> > > >>> >cache_credentials = True > >>> >krb5_store_password_if_offline = True ipa_domain = mhbe.lin > >>> >id_provider = ipa auth_provider = ipa access_provider = ipa > >>> >ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa > >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = > >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services > >>> >= nss, sudo, pam, ssh config_file_version = 2 > >>> > > >>> >domains = mhbe.lin > >>> >[nss] > >>> >default_shell = /bin/bash > >>> >homedir_substring = /home > >>> >debug_level = 7 > >>> >[pam] > >>> > > >>> >[sudo] > >>> > > >>> >[autofs] > >>> > > >>> >[ssh] > >>> > > >>> >[pac] > >>> > > >>> >[ifp] > >>> > > >>> >I thought the _srv_ would force it to use dns and both servers are > >>> >round robined when digging the _kerberos records from DNS. So I > >>> >don't understand why it's not working > >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries > >>> are using /etc/krb5.conf for hints where to find KDCs. > >>> > >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing > 'kdc = ' > >>> for specific realm would cause Kerberos clients to do DNS discovery > >>> using SRV records. > >>> > >> > >> Here are the contents of my krb conf with everything set to lookup > >> and it doesn't appear to be working. > >> > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > >> > >> [libdefaults] > >> default_realm = MHBE.LIN > >> dns_lookup_realm = true > >> dns_lookup_kdc = true > >> rdns = false > >> ticket_lifetime = 24h > >> forwardable = yes > >> udp_preference_limit = 0 > >> > >> > >> [realms] > >> MHBE.LIN = { > >> pkinit_anchors = FILE:/etc/ipa/ca.crt > >> > >> } > >> > >> > >> [domain_realm] > >> .mhbe.lin = MHBE.LIN > >> mhbe.lin = MHBE.LIN > > I bet you have SSSD supplying you KDC info in > > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via > > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > > > > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), > > see details in sssd-krb5(5). >
I will look into adding this setting. Why is this not the default configuration by the client install? > Also, I would recommend you to check SRV records in DNS: > > $ dig _kerberos._udp.mhbe.lin SRV > > It should list both servers (with non-zero priority). > Ok both servers are in there but they have a zero priority. Those are the default records added by the install. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
