On Wed, 2015-12-16 at 18:34 +0100, Karl Forner wrote: > > SSSD mostly manages discovery of servers, it is normally configure with > > the name _srv_ + an actual name as fallback. > > SSSD also feeds the information to kerberos libraries via a plugin. > > ok, I have this line in my /etc/sssd/sssd.conf: > ipa_server = _srv_, ipa.example.com > > How do I check the current ipa_servers picked up by sssd ? > How do the info is fed to kerberos libraries ? > > Because I set up a replica, using the adelton docker, which seems to work > fine. I can use its DNS, access its web UI, the changes are dynamically > updated both ways. > So far so good. > But if suddenly stops the freeIPA master, and try a kdestroy then kinit on > my client, I get > kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial > credentials > > Looking at /etc/krb5.conf, I see hardcoded values: > #File modified by ipa-client-install > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = false > rdns = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > EXAMPLE.COM = { > kdc = ipa.example.com:88 > master_kdc = ipa.example.com:88 > admin_server = ipa.example.com:749 > default_domain = example.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .EXAMPLE.com = EXAMPLE.COM > EXAMPLE.com = EXAMPLE.COM > > the same for /etc/ipa/default.conf: > #File modified by ipa-client-install > > [global] > basedn = dc=example,dc=com > realm = EXAMPLE.COM > domain = example.com > server = ipah.example.com > xmlrpc_uri = https://ipah.example.com/ipa/xml > enable_ra = True > > > Is this expected ?
Unfortunately it is, it is a bug in the way we update the krb5 libraries to point to a KDC. SSSD updates this information in a file under /var/lib/sss/pubconf and krb5 libraries read from it, however kinit cannot force sssd to re-evaluate if the file needs updating. If you do a local login instead of a kinit, you will see that SSSD will switch to the new server and subsequent kinit will start using it. This is tracked here: https://fedorahosted.org/sssd/ticket/941 Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project