Another piece of information:

the linux boxes are running ubuntu too, with the same configuration.
I have configured 2 dns servers, the first for my main freeipa server
(which is down), and rhe second for the replica.
After boot, the linux box can resolve addresses just fine, using the
secondary dns. But the box does not pick the kdc from the replica.

It seems to only use the cache, since when I do a klist, I have a ticked
expiring at 01/01/1970:
Valid starting       Expires              Service principal
01/01/1970 01:00:00  01/01/1970 01:00:00

If I do a kinit:
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial

And once again, from a box just rebooted.

When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and
admin_server set for my domain.
>From what I had understood, I thought they should be ignored, and that the
auto discovery should still happen.
Is that so ?


On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner <> wrote:

> Hello,
> My freeipa master has crashed, and I have a replica running.
> The problem is that I can not use anymore the webapps on my main server
> which use a kerberos authentication since my server will not switch to the
> kdc on my replica.
> I remember that someone replied me on this list about that problem, but
> I'd like to konw if there's something I can do besides rebooting my main
> server ?
> freeipa 4.3
> sssd 1.12.5-1 running on ubuntu 14.04
> Thanks.
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to