On 24.9.2015 16:16, Andy Thompson wrote: > > >> -----Original Message----- >> From: [email protected] [mailto:freeipa-users- >> [email protected]] On Behalf Of Petr Spacek >> Sent: Thursday, September 24, 2015 9:50 AM >> To: [email protected] >> Subject: Re: [Freeipa-users] IPA server failover >> >> On 24.9.2015 15:29, Alexander Bokovoy wrote: >>> On Thu, 24 Sep 2015, Andy Thompson wrote: >>>>> -----Original Message----- >>>>> From: Alexander Bokovoy [mailto:[email protected]] >>>>> Sent: Thursday, September 24, 2015 1:17 AM >>>>> To: Andy Thompson <[email protected]> >>>>> Cc: [email protected] >>>>> Subject: Re: [Freeipa-users] IPA server failover >>>>> >>>>> On Wed, 23 Sep 2015, Andy Thompson wrote: >>>>>> I've got all of my environments setup with two IPA servers. I'm >>>>>> fighting intermittent problems with krb5kdc crashing on them in all >>>>>> of my environments and I've opened a ticket with Redhat on that. >>>>>> What I can't figure out though is why the clients will not fail >>>>>> over to the second functioning server in the domain >>>>>> >>>>>> My sssd.conf files are all pretty generic from the install with >>>>>> minimal modification to add a couple settings. >>>>>> >>>>>> [domain/mhbe.lin] >>>>>> >>>>>> cache_credentials = True >>>>>> krb5_store_password_if_offline = True ipa_domain = mhbe.lin >>>>>> id_provider = ipa auth_provider = ipa access_provider = ipa >>>>>> ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa >>>>>> ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = >>>>>> /etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services >>>>>> = nss, sudo, pam, ssh config_file_version = 2 >>>>>> >>>>>> domains = mhbe.lin >>>>>> [nss] >>>>>> default_shell = /bin/bash >>>>>> homedir_substring = /home >>>>>> debug_level = 7 >>>>>> [pam] >>>>>> >>>>>> [sudo] >>>>>> >>>>>> [autofs] >>>>>> >>>>>> [ssh] >>>>>> >>>>>> [pac] >>>>>> >>>>>> [ifp] >>>>>> >>>>>> I thought the _srv_ would force it to use dns and both servers are >>>>>> round robined when digging the _kerberos records from DNS. So I >>>>>> don't understand why it's not working >>>>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries >>>>> are using /etc/krb5.conf for hints where to find KDCs. >>>>> >>>>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing >> 'kdc = ' >>>>> for specific realm would cause Kerberos clients to do DNS discovery >>>>> using SRV records. >>>>> >>>> >>>> Here are the contents of my krb conf with everything set to lookup >>>> and it doesn't appear to be working. >>>> >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [libdefaults] >>>> default_realm = MHBE.LIN >>>> dns_lookup_realm = true >>>> dns_lookup_kdc = true >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> udp_preference_limit = 0 >>>> >>>> >>>> [realms] >>>> MHBE.LIN = { >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> >>>> } >>>> >>>> >>>> [domain_realm] >>>> .mhbe.lin = MHBE.LIN >>>> mhbe.lin = MHBE.LIN >>> I bet you have SSSD supplying you KDC info in >>> /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via >>> /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so >>> >>> You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), >>> see details in sssd-krb5(5). >> > > I will look into adding this setting. Why is this not the default > configuration by the client install? > >> Also, I would recommend you to check SRV records in DNS: >> >> $ dig _kerberos._udp.mhbe.lin SRV >> >> It should list both servers (with non-zero priority). >> > > Ok both servers are in there but they have a zero priority. Those are the > default records added by the install.
Never mind, I got confused. Zero priority should not be an issue, because it is the same as with MX records - smaller number means higher priority. I.e. the DNS configuration sounds correct, I would continue with SSSD or krb5 libs debugging. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
