Re: [Freeipa-users] errors when one ipa server down
On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote: On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password:# NOTE: there is a delay here, ~5 seconds [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. I agree. I think that the SSSD fails over just fine. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? We discussed doing it as part of https://fedorahosted.org/sssd/ticket/941 which might add a new responder. Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password:# NOTE: there is a delay here, ~5 seconds [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. I agree. I think that the SSSD fails over just fine. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [root@ipaclient sssd]# su - mike# short delay ~2 seconds [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. I kinda expect the result to be the same (at least for user who is not recently cached) because the case of IPA we need to establish a GSSAPI encrypted connection anyway so we'd talk to the KDC only to perform initgroups. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-10, at 4:35 AM, Petr Spacek wrote: On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:27 AM, Michael Mercier wrote: On 2012-09-10, at 4:35 AM, Petr Spacek wrote: On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:14 AM, Michael Mercier wrote: On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-17, at 11:27 AM, Dmitri Pal wrote: On 09/17/2012 10:14 AM, Michael Mercier wrote: On 2012-09-07, at 4:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53
Re: [Freeipa-users] errors when one ipa server down
On 09/08/2012 05:03 PM, Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address:172.16.112.5#53 Name:ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server:
Re: [Freeipa-users] errors when one ipa server down
Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address:172.16.112.5#53 Name:ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.8 Address:
Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]#
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote: On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. [moving to freeipa-devel] Yes but the solution is to do on-demand requests when something doesn't work. Because otherwise you still get the odd failure. Assume you check in 5 min intervals, and the KDC goes off 1 sec after the check, for 5 minutes you still have a wrong KDC in the locator and still get failures. So you loaded the KDC with ~300 request per day per client, and you still have high odds that on failure your locator file will still be 'wrong'. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server:172.16.112.5 Address:172.16.112.5#53 Name:ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown
Re: [Freeipa-users] errors when one ipa server down
On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address:172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address:172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address:
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name:ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup
Re: [Freeipa-users] errors when one ipa server down
Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: On 09/06/2012 10:40 AM, Michael Mercier wrote: Hello, I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR. [root@ipaserver ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 [root@ipaserver2 ~]#ipa-replica-manage list ipaserver.mpls.local: master ipaserver2.mpls.local: master [root@ipaserver2 ~]# rpm -qa|grep ipa ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-admintools-2.2.0-16.el6.x86_64 ipa-server-selinux-2.2.0-16.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch [mike@ipaclient ~]$ rpm -qa|grep ipa ipa-admintools-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-2.2.0-16.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 libipa_hbac-1.8.0-32.el6.x86_64 I have a webserver (zenoss) using kerberos authentication. [root@zenoss ~]# rpm -qa|grep ipa libipa_hbac-1.8.0-32.el6.x86_64 libipa_hbac-python-1.8.0-32.el6.x86_64 ipa-python-2.2.0-16.el6.x86_64 ipa-client-2.2.0-16.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-admintools-2.2.0-16.el6.x86_64 Location / SSLRequireSSL AuthType Kerberos AuthName Kerberos Login KrbMethodK5Passwd Off KrbAuthRealms MPLS.LOCAL KrbSaveCredentials on KrbServiceName HTTP Krb5KeyTab /etc/http/conf.d/http.keytab AuthLDAPUrl ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName RequestHeader set X_REMOTE_USER %{remoteUser}e require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local /Location With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following: 1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable. 2. It takes a longer period of time to do a kinit If the I then perform: [root@ipaserver ~]#ifup eth0 [root@ipaserver2 ~]#ifdown eth0 [mike@ipaclient ~]$kinit kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials [root@ipaserver2 ~]#ifup eth0 [mike@ipaclient ~]$ kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ [root@ipaserver2 ~]#ifdown eth0 .. wait number of minutes ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes [mike@ipaclient ~]$kinit Password for mike@MPLS.LOCAL: [mike@ipaclient ~]$ Any ideas? Thanks, Mike This seems to be some DNS problem. You client does not see the second replica and might have some name resolution timeouts. Please check your dns setup and krb5.conf on the client. To help more we need more details about you client configuration DNS and kerberos. Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address:172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address:172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaclient