Re: [Freeipa-users] errors when one ipa server down
On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote: On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password:# NOTE: there is a delay here, ~5 seconds [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. I agree. I think that the SSSD fails over just fine. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? We discussed doing it as part of https://fedorahosted.org/sssd/ticket/941 which might add a new responder. Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password:# NOTE: there is a delay here, ~5 seconds [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. I agree. I think that the SSSD fails over just fine. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [root@ipaclient sssd]# su - mike# short delay ~2 seconds [mike@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [root@ipaclient sssd]# su - mike # short delay ~2 seconds [mike@ipaclient ~]$ exit logout I do not seem to have any sssd problems. Thanks, Mike Michael also said that the IP address 172.16.112.8 is the address of the server that is down. I assume that at one point the SSSD was using that server but no request came to the SSSD since the last one, so the SSSD did not fail over to the other configured server. Your SRV records indicated that the servers had the same priority fields, so selecting on over another is pretty much random. I don't think the SSSD is operating in offline mode completely, otherwise it would have removed the file to avoid this kind of timeouts. Bottom line, kinit does not contact the SSSD and does not refresh the address via the locator plugin. Returning multiple addresses from the locator plugin or creating a smarter way of interacting between the Kerberos tools and the SSSD is the scope of https://fedorahosted.org/sssd/ticket/941 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. I kinda expect the result to be the same (at least for user who is not recently cached) because the case of IPA we need to establish a GSSAPI encrypted connection anyway so we'd talk to the KDC only to perform initgroups. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA
(all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2)
setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver
is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address: 172.16.112.5#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-10, at 4:35 AM, Petr Spacek wrote:
On 09/08/2012 05:03 PM, Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:27 AM, Michael Mercier wrote:
On 2012-09-10, at 4:35 AM, Petr Spacek wrote:
On 09/08/2012 05:03 PM, Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Re: [Freeipa-users] errors when one ipa server down
On 09/17/2012 10:14 AM, Michael Mercier wrote:
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA
(all systems CentOS 6.3). I have 2 ipa servers (ipaserver /
ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address: 172.16.112.5#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-17, at 11:27 AM, Dmitri Pal wrote:
On 09/17/2012 10:14 AM, Michael Mercier wrote:
On 2012-09-07, at 4:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA
(all systems CentOS 6.3). I have 2 ipa servers (ipaserver /
ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting
initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address: 172.16.112.5#53
Re: [Freeipa-users] errors when one ipa server down
On 09/08/2012 05:03 PM, Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address:172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server:
Re: [Freeipa-users] errors when one ipa server down
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address:172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.8
Address:
Re: [Freeipa-users] errors when one ipa server down
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote:
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]#
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 15:20 +0200, Jakub Hrozek wrote:
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote:
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Mon, 2012-09-10 at 11:11 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-09-10 at 16:36 +0200, Sumit Bose wrote: What about defining a task in the SSSD krb5 provider instead of pinging it from the locator plugin. The task can run at a configurable interval or never and checks if the current KDC is available. If not it tries the next until it goes offline if no reachable KDC can be found and updates or deletes the info file for the locator plugin.. This leave us with the question how to ping a KDC properly, but this we have to find out for either case. I am not a fan of generating load for the KDC unnecessarily. Simo. I tend to agree but this can be a real pain to debug because depending on the current state of sssd you have to either check krb5.conf or the sssd locator to see what KDC is configured. [moving to freeipa-devel] Yes but the solution is to do on-demand requests when something doesn't work. Because otherwise you still get the odd failure. Assume you check in 5 min intervals, and the KDC goes off 1 sec after the check, for 5 minutes you still have a wrong KDC in the locator and still get failures. So you loaded the KDC with ~300 request per day per client, and you still have high odds that on failure your locator file will still be 'wrong'. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with
FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
(ipaserver / ipaserver2) setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group
cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am
successfully connected. If on ipaserver I do a 'ifdown eth0' and
attempt another connection, it fails. I have also noticed the
following:
1. I am unable to use the ipaserver2 management interface when
ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
getting initial credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7
seconds) screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration
DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server:172.16.112.5
Address:172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown
Re: [Freeipa-users] errors when one ipa server down
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA (all
systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup
using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am successfully
connected. If on ipaserver I do a 'ifdown eth0' and attempt another
connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver is
unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial
credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds)
screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA (all
systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup
using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am successfully
connected. If on ipaserver I do a 'ifdown eth0' and attempt another
connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver is
unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial
credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds)
screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address:172.16.112.5#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.8
Address:172.16.112.8#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
Re: [Freeipa-users] errors when one ipa server down
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA (all
systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup
using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am successfully
connected. If on ipaserver I do a 'ifdown eth0' and attempt another
connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver is
unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial
credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds)
screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address: 172.16.112.5#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.8
Address:
Re: [Freeipa-users] errors when one ipa server down
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA
(all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2)
setup using MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am successfully
connected. If on ipaserver I do a 'ifdown eth0' and attempt another
connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver
is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial
credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds)
screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address: 172.16.112.5#53
Name:ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup
Re: [Freeipa-users] errors when one ipa server down
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On 09/06/2012 10:40 AM, Michael Mercier wrote:
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA (all
systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using
MMR.
[root@ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root@ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root@ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike@ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root@zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
Location /
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl ldap://ipaserver.mpls.local
ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
/Location
With both ipaserver and ipaserver2 'up', if I connect to
https://zenoss.mpls.local from ipaclient using firefox, I am successfully
connected. If on ipaserver I do a 'ifdown eth0' and attempt another
connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver is
unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root@ipaserver ~]#ifup eth0
[root@ipaserver2 ~]#ifdown eth0
[mike@ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial
credentials
[root@ipaserver2 ~]#ifup eth0
[mike@ipaclient ~]$ kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
[root@ipaserver2 ~]#ifdown eth0
.. wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds)
screen unlock compeletes
[mike@ipaclient ~]$kinit
Password for mike@MPLS.LOCAL:
[mike@ipaclient ~]$
Any ideas?
Thanks,
Mike
This seems to be some DNS problem.
You client does not see the second replica and might have some name
resolution timeouts.
Please check your dns setup and krb5.conf on the client.
To help more we need more details about you client configuration DNS and
kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# more /etc/resolv.conf
# Generated by NetworkManager
search mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@ipaclient ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.mpls.local = MPLS.LOCAL
mpls.local = MPLS.LOCAL
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.5
Address:172.16.112.5#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaserver ~]#ifdown eth0
[root@ipaclient ~]# nslookup ipaserver
Server: 172.16.112.8
Address:172.16.112.8#53
Name: ipaserver.mpls.local
Address: 172.16.112.5
[root@ipaclient
