Re: [Freeipa-users] confused about replica role and use

Wed, 16 Dec 2015 10:16:57 -0800 

On Wed, 2015-12-16 at 18:34 +0100, Karl Forner wrote:
> > SSSD mostly manages discovery of servers, it is normally configure with
> > the name _srv_ + an actual name as fallback.
> > SSSD also feeds the information to kerberos libraries via a plugin.
> 
> ok, I have this line in my /etc/sssd/sssd.conf:
> ipa_server = _srv_, ipa.example.com
> 
> How do I check the current ipa_servers picked up by sssd ?
> How do the info is fed to kerberos libraries ?
> 
> Because I set up a replica, using the adelton docker, which seems to work
> fine. I can use its DNS, access its web UI, the changes are dynamically
> updated both ways.
> So far so good.
> But if suddenly stops the freeIPA master, and try a kdestroy then kinit on
> my client, I get
> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial
> credentials
> 
> Looking at /etc/krb5.conf, I see hardcoded values:
>  #File modified by ipa-client-install
> 
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [libdefaults]
>   default_realm = EXAMPLE.COM
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   rdns = false
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [realms]
>   EXAMPLE.COM = {
>     kdc = ipa.example.com:88
>     master_kdc = ipa.example.com:88
>     admin_server = ipa.example.com:749
>     default_domain = example.com
>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>   }
> 
> [domain_realm]
>   .EXAMPLE.com = EXAMPLE.COM
>   EXAMPLE.com = EXAMPLE.COM
> 
> the same for /etc/ipa/default.conf:
> #File modified by ipa-client-install
> 
> [global]
> basedn = dc=example,dc=com
> realm = EXAMPLE.COM
> domain = example.com
> server = ipah.example.com
> xmlrpc_uri = https://ipah.example.com/ipa/xml
> enable_ra = True
> 
> 
> Is this expected ?

Unfortunately it is, it is a bug in the way we update the krb5 libraries
to point to a KDC.

SSSD updates this information in a file under /var/lib/sss/pubconf and
krb5 libraries read from it, however kinit cannot force sssd to
re-evaluate if the file needs updating.

If you do a local login instead of a kinit, you will see that SSSD will
switch to the new server and subsequent kinit will start using it.

This is tracked here:
https://fedorahosted.org/sssd/ticket/941

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to