> -----Original Message-----
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Thursday, September 24, 2015 9:50 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA server failover
> 
> On 24.9.2015 15:29, Alexander Bokovoy wrote:
> > On Thu, 24 Sep 2015, Andy Thompson wrote:
> >>> -----Original Message-----
> >>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> >>> Sent: Thursday, September 24, 2015 1:17 AM
> >>> To: Andy Thompson <andy.thomp...@e-tcc.com>
> >>> Cc: freeipa-users@redhat.com
> >>> Subject: Re: [Freeipa-users] IPA server failover
> >>>
> >>> On Wed, 23 Sep 2015, Andy Thompson wrote:
> >>> >I've got all of my environments setup with two IPA servers.  I'm
> >>> >fighting intermittent problems with krb5kdc crashing on them in all
> >>> >of my environments and I've opened a ticket with Redhat on that.
> >>> >What I can't figure out though is why the clients will not fail
> >>> >over to the second functioning server in the domain
> >>> >
> >>> >My sssd.conf files are all pretty generic from the install with
> >>> >minimal modification to add a couple settings.
> >>> >
> >>> >[domain/mhbe.lin]
> >>> >
> >>> >cache_credentials = True
> >>> >krb5_store_password_if_offline = True ipa_domain = mhbe.lin
> >>> >id_provider = ipa auth_provider = ipa access_provider = ipa
> >>> >ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa
> >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
> >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services
> >>> >= nss, sudo, pam, ssh config_file_version = 2
> >>> >
> >>> >domains = mhbe.lin
> >>> >[nss]
> >>> >default_shell = /bin/bash
> >>> >homedir_substring = /home
> >>> >debug_level = 7
> >>> >[pam]
> >>> >
> >>> >[sudo]
> >>> >
> >>> >[autofs]
> >>> >
> >>> >[ssh]
> >>> >
> >>> >[pac]
> >>> >
> >>> >[ifp]
> >>> >
> >>> >I thought the _srv_  would force it to use dns and both servers are
> >>> >round robined when digging the _kerberos records from DNS.  So I
> >>> >don't understand why it's not working
> >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries
> >>> are using /etc/krb5.conf for hints where to find KDCs.
> >>>
> >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing
> 'kdc = '
> >>> for specific realm would cause Kerberos clients to do DNS discovery
> >>> using SRV records.
> >>>
> >>
> >> Here are the contents of my krb conf with everything set to lookup
> >> and it doesn't appear to be working.
> >>
> >> includedir /var/lib/sss/pubconf/krb5.include.d/
> >>
> >> [libdefaults]
> >>  default_realm = MHBE.LIN
> >>  dns_lookup_realm = true
> >>  dns_lookup_kdc = true
> >>  rdns = false
> >>  ticket_lifetime = 24h
> >>  forwardable = yes
> >>  udp_preference_limit = 0
> >>
> >>
> >> [realms]
> >>  MHBE.LIN = {
> >>    pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>
> >>  }
> >>
> >>
> >> [domain_realm]
> >>  .mhbe.lin = MHBE.LIN
> >>  mhbe.lin = MHBE.LIN
> > I bet you have SSSD supplying you KDC info in
> > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
> > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
> >
> > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
> > see details in sssd-krb5(5).
> 

I will look into adding this setting.  Why is this not the default 
configuration by the client install?

> Also, I would recommend you to check SRV records in DNS:
> 
> $ dig _kerberos._udp.mhbe.lin SRV
> 
> It should list both servers (with non-zero priority).
> 

Ok both servers are in there but they have a zero priority.  Those are the 
default records added by the install.

-andy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to