[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP

2018-01-03 Thread Rob Crittenden via FreeIPA-users 
pgb205 via FreeIPA-users wrote:
> I have also checked on the neighboring replica and can see the broken
> server in 
> 
> ldapsearch -b "cn=masters, cn=ipa, cn=etc, dc=domain,dc=local" -D
> cn="directory manager" -w  "(objectclass=ipaReplTopoManagedServer)"  
> 
> output. 
> 
> so other servers are not losing the information. Just somehow broken
> replica loses its own hostname in this list. 

You might want to dig through the access log on that master to look for
any changes to cn=masters.

You might also consider enabling the audit log to get more details if
you find this but note that this logs EVERYTHING (including password
changes) so be very careful with this log.

I don't think entries will disappear on their own. Why an entry can
disappear only one one box is a bit of a mystery though.

rob

> 
> 
> 
> *From:* Rob Crittenden 
> *To:* pgb205 ; FreeIPA users list
> 
> *Sent:* Thursday, December 28, 2017 2:26 PM
> *Subject:* Re: [Freeipa-users] Failed to read service file. Hostname
> does not match any master server in LDAP
> 
> pgb205 via FreeIPA-users wrote:
>> Hello everyone.
>>
>> Periodically and seemingly at random our replicas crash with the above
>> error. Dirsrv shows as stopped and restarting doesn't help.
>> Someone suggested earlier that this is due to problems with topology
>> plugin but I don't think that the cause as we are still on
>> domainlevel=0.
>>
>> I'm not sure if it's a problem with 389ds or with some other part of
>> freeipa. The only other clue I can think of is that often we see
>> inconsistencies
>> between replicas. IE a user that is supposed to be present everywhere
>> goes missing on just one of the many replicas.
>>
>> I'm quite at a loss on how to troubleshoot this further. I hope that
>> someone can assist.
>>
>> ipactl start
>> Starting Directory Service
>> Failed to read data from service file: Failed to get list of services to
>> probe status!
>> Configured hostname 'server.pop.domain.local' does not match any master
>> server in LDAP:
>> No master found because of error: no such entry
>> Shutting down
> 
> This isn't exactly a crash. In what context are you restarting it?
> 
> You said it is intermittent, does it ever start working again on its own?
> 
> Is this the correct hostname?
> 
> IPA uses the hostname to look in LDAP for the list of enabled services
> on a given host to know what to start.
> 
> 
> rob
> 
>>
>>
>> cat errors
>> [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to
>> SVRCore. You may need to run systemd-tty-ask-password-agent to provide
>> the password.
>> [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security
>> Initialization: Enabling default cipher set.
>> [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers
>> [26/Dec/2017:21:15:56.236652729 +] SSL
>> alert:  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.236921632 +] SSL
>> alert:  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237114079 +] SSL
>> alert:  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
>> [26/Dec/2017:21:15:56.237317678 +] SSL
>> alert:  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237526365 +] SSL
>> alert:  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.237746660 +] SSL
>> alert:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237908539 +] SSL
>> alert:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
>> [26/Dec/2017:21:15:56.238087338 +] SSL
>> alert:  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238306056 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.238517868 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238724920 +] SSL
>> alert:  TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238889982 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
>> [26/Dec/2017:21:15:56.239048124 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
>> [26/Dec/2017:21:15:56.239233534 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.239402097 +] SSL
>> alert:  TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.239767245 +] SSL
>> alert:  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
>> [26/Dec/2017:21:15:56.239997083 +] SSL
>> alert:  TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.240177269 +] SSL
>> alert:  TLS_RSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.240376177 +] SSL
>> alert:  TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
>> [26/Dec/2017:21:15:56.240585031 +] SSL
>> alert:

[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP

2018-01-03 Thread pgb205 via FreeIPA-users 
I have also checked on the neighboring replica and can see the broken server in 
    ldapsearch -b "cn=masters, cn=ipa, cn=etc, dc=domain,dc=local" -D 
cn="directory manager" -w  "(objectclass=ipaReplTopoManagedServer)"  
output. 
so other servers are not losing the information. Just somehow broken replica 
loses its own hostname in this list. 


  From: Rob Crittenden 
 To: pgb205 ; FreeIPA users list 
 
 Sent: Thursday, December 28, 2017 2:26 PM
 Subject: Re: [Freeipa-users] Failed to read service file. Hostname does not 
match any master server in LDAP
   
pgb205 via FreeIPA-users wrote:
> Hello everyone. 
> 
> Periodically and seemingly at random our replicas crash with the above
> error. Dirsrv shows as stopped and restarting doesn't help.
> Someone suggested earlier that this is due to problems with topology
> plugin but I don't think that the cause as we are still on
> domainlevel=0.
> 
> I'm not sure if it's a problem with 389ds or with some other part of
> freeipa. The only other clue I can think of is that often we see
> inconsistencies
> between replicas. IE a user that is supposed to be present everywhere
> goes missing on just one of the many replicas. 
> 
> I'm quite at a loss on how to troubleshoot this further. I hope that
> someone can assist.
> 
> ipactl start
> Starting Directory Service
> Failed to read data from service file: Failed to get list of services to
> probe status!
> Configured hostname 'server.pop.domain.local' does not match any master
> server in LDAP:
> No master found because of error: no such entry
> Shutting down

This isn't exactly a crash. In what context are you restarting it?

You said it is intermittent, does it ever start working again on its own?

Is this the correct hostname?

IPA uses the hostname to look in LDAP for the list of enabled services
on a given host to know what to start.

rob

> 
> 
> cat errors
> [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to
> SVRCore. You may need to run systemd-tty-ask-password-agent to provide
> the password.
> [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security
> Initialization: Enabling default cipher set.
> [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers
> [26/Dec/2017:21:15:56.236652729 +] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.236921632 +] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237114079 +] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.237317678 +] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237526365 +] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.237746660 +] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.237908539 +] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.238087338 +] SSL
> alert:      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238306056 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.238517868 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238724920 +] SSL
> alert:      TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.238889982 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.239048124 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.239233534 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.239402097 +] SSL
> alert:      TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.239767245 +] SSL
> alert:      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.239997083 +] SSL
> alert:      TLS_RSA_WITH_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.240177269 +] SSL
> alert:      TLS_RSA_WITH_AES_256_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.240376177 +] SSL
> alert:      TLS_RSA_WITH_AES_256_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.240585031 +] SSL
> alert:      TLS_RSA_WITH_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.240745192 +] SSL
> alert:      TLS_RSA_WITH_AES_128_CBC_SHA: enabled
> [26/Dec/2017:21:15:56.240897126 +] SSL
> alert:      TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
> [26/Dec/2017:21:15:56.241075071 +] SSL
> alert:      TLS_AES_128_GCM_SHA256: enabled
> [26/Dec/2017:21:15:56.241245788 +] SSL
> alert:      TLS_CHACHA20_POLY1305_SHA256: enabled
> [26/Dec/2017:21:15:56.241456256 +] SSL
> alert:      TLS_AES_256_GCM_SHA384: enabled
> [26/Dec/2017:21:15:56.241617090 +] SSL
> alert:      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
>

[Freeipa-users] Re: Failed to read service file. Hostname does not match any master server in LDAP

2018-01-03 Thread pgb205 via FreeIPA-users 
as far as hostname it's there on both failed replica with hostname -f 
commandbut also on the replica that it's connected to.on the neighbor replica I 
can ping failed replica by fqdnand it shows up in ipa-replica-manage list

  From: Rob Crittenden 
 To: pgb205 ; FreeIPA users list 
 
 Sent: Tuesday, January 2, 2018 11:43 AM
 Subject: Re: [Freeipa-users] Failed to read service file. Hostname does not 
match any master server in LDAP
   
pgb205 wrote:
> We have a number of servers in different pops. When I say intermittent I
> mean it doesn't just happen on the 
> same server again and again but rather on random servers each time.
> There is no pattern as far as which 
> pop or time of day etc. 
> 
> I do ipactl status and see that dirsrv is STOPPED. ipactl restart
> doesn't help, I just get the below error
> message that ipa can't start without 389ds and to check journalctl.
> 
> No matter what I've tried I never managed to fix the problem properly. I
> just blow the replica out and reinstall.
> 
> I've sanitized the file. The servers are actually named something
> completely different than what's in logs below.
> 
> 
> thank you and please let me know what other steps I should try.

Like I said, this will blow up if the hostname is an unknown master so
I'd start there. Check the list of masters and ensure the host is there
(hostname -f)

If dirsrv is stopped you should look for a core or some indication of
why it is stopped.

rob

> 
> 
> 
> *From:* Rob Crittenden 
> *To:* pgb205 ; FreeIPA users list
> 
> *Sent:* Thursday, December 28, 2017 2:26 PM
> *Subject:* Re: [Freeipa-users] Failed to read service file. Hostname
> does not match any master server in LDAP
> 
> pgb205 via FreeIPA-users wrote:
>> Hello everyone.
>>
>> Periodically and seemingly at random our replicas crash with the above
>> error. Dirsrv shows as stopped and restarting doesn't help.
>> Someone suggested earlier that this is due to problems with topology
>> plugin but I don't think that the cause as we are still on
>> domainlevel=0.
>>
>> I'm not sure if it's a problem with 389ds or with some other part of
>> freeipa. The only other clue I can think of is that often we see
>> inconsistencies
>> between replicas. IE a user that is supposed to be present everywhere
>> goes missing on just one of the many replicas.
>>
>> I'm quite at a loss on how to troubleshoot this further. I hope that
>> someone can assist.
>>
>> ipactl start
>> Starting Directory Service
>> Failed to read data from service file: Failed to get list of services to
>> probe status!
>> Configured hostname 'server.pop.domain.local' does not match any master
>> server in LDAP:
>> No master found because of error: no such entry
>> Shutting down
> 
> This isn't exactly a crash. In what context are you restarting it?
> 
> You said it is intermittent, does it ever start working again on its own?
> 
> Is this the correct hostname?
> 
> IPA uses the hostname to look in LDAP for the list of enabled services
> on a given host to know what to start.
> 
> 
> rob
> 
>>
>>
>> cat errors
>> [26/Dec/2017:21:15:56.234793153 +] SSL alert: Sending pin request to
>> SVRCore. You may need to run systemd-tty-ask-password-agent to provide
>> the password.
>> [26/Dec/2017:21:15:56.236060353 +] SSL alert: Security
>> Initialization: Enabling default cipher set.
>> [26/Dec/2017:21:15:56.236362922 +] SSL alert: Configured NSS Ciphers
>> [26/Dec/2017:21:15:56.236652729 +] SSL
>> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.236921632 +] SSL
>> alert:      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237114079 +] SSL
>> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
>> [26/Dec/2017:21:15:56.237317678 +] SSL
>> alert:      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237526365 +] SSL
>> alert:      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.237746660 +] SSL
>> alert:      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.237908539 +] SSL
>> alert:      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
>> [26/Dec/2017:21:15:56.238087338 +] SSL
>> alert:      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238306056 +] SSL
>> alert:      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
>> [26/Dec/2017:21:15:56.238517868 +] SSL
>> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238724920 +] SSL
>> alert:      TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled
>> [26/Dec/2017:21:15:56.238889982 +] SSL
>> alert:      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
>> [26/Dec/2017:21:15:56.239048124 +] SSL
>> alert:     

[Freeipa-users] Re: AD Trust

2018-01-03 Thread Alexander Bokovoy via FreeIPA-users 

On ke, 03 tammi 2018, Sumit Bose via FreeIPA-users wrote:

On Wed, Jan 03, 2018 at 07:56:57PM +0700, Николай Савельев via FreeIPA-users 
wrote:

I have ipa domain with AD trust. id ad_users@ad_domain works. su 
ad_users@ad_domain works.
kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
What?
/etc/krb5.conf is the same.
ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
I also can't get access from AD member windos to SAMBA shares on IPA members 
linux,

What can i do?





Oh, I forgot to say about error!
For kinit AD user i get:
kinit: KDC reply did not match expectations while getting initial credentials


Then using 'kinit -C ...' or 'canonicalize= true' in krb5.conf should
help.

A bit of caution: Ubuntu may use Heimdal and their parser for krb5.conf
does not know about 'canonicalize' option at all, so you'd have always
use 'kinit --canonicalize' when running with Heimdal.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: debian 8 freeipa-client

2018-01-03 Thread Lee Wiscovitch via FreeIPA-users 
Doesn't really address the core issue, but wanted to chime in that we 
ended up having to manually configure our Debian 8 instances to work 
with our RHEL IPA servers.


We use ansible to automate the entire process, the playbook contents 
below should be descriptive enough to know what is being done. We got 
the config files from other RHEL IPA clients and tweaked as necessary 
for platform differences (PAM was kinda tricky):


- name: apt - update base image
  apt: upgrade=dist update_cache=yes

- name: apt - install packages
  apt: name={{ item }} update_cache=yes state=latest
  with_items:
  - curl
  - krb5-user
  - libpam-ccreds
  - libpam-krb5
  - libselinux1
  - ntpdate
  - openssl
  - policycoreutils
  - sssd

- name: ntp - run ntpdate
  action: command ntpdate 10.xxx.xxx.123

- name: kerberos - add krb5.keytab
  copy: src=krb5.keytab.production dest=/etc/krb5.keytab owner=root 
group=root mode=0600

  notify: sssd_restart

- name: sssd - add sssd.conf
  copy: src=sssd.conf dest=/etc/sssd/sssd.conf owner=root group=root 
mode=0600

  notify: sssd_restart

- name: kerberos - create config directory
  file: path=/etc/krb5.conf.d state=directory mode=0755
  notify: sssd_restart

- name: kerberos - create ipa directory
  file: path=/etc/ipa state=directory mode=0755
  notify: sssd_restart

- name: kerberos - add ca.crt
  copy: src=ca.crt-production dest=/etc/ipa/ca.crt owner=root 
group=root mode=0600

  notify: sssd_restart

- name: kerberos - add krb5.conf
  copy: src=krb5.conf dest=/etc/krb5.conf owner=root group=root mode=0644
  notify: sssd_restart

- name: systemd - enable and start sssd
  service: name=sssd state=started enabled=yes

- name: pam - add modified config files
  copy: src={{ item }} dest=/etc/pam.d/{{ item }} owner=root group=root 
mode=0644

  with_items:
  - common-account
  - common-auth
  - common-password
  - common-session

- name: ssh - add sshd_config
  copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root 
mode=0644

  notify: ssh_restart

- name: sudo - add sudoers-custom
  copy: src=sudoers-custom dest=/etc/sudoers.d/sudoers-custom 
owner=root group=root mode=0644



On 01/02/2018 04:03 AM, Florence Blanc-Renaud via FreeIPA-users wrote:

On 12/21/2017 01:49 PM, Andrew Radygin via FreeIPA-users wrote:

Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of it was 
almost successful...


apt-get cannot complete configuring for certmonger, and I've got 
following error:


==
# journalctl -u certmonger
-- Logs begin at Thu 2017-07-20 18:27:15 MSK, end at Thu 2017-12-21 
15:39:01 MSK. --
Dec 21 13:25:36 HOSTNAME systemd[1]: Starting Certificate monitoring 
and PKI enrollment...
Dec 21 13:25:36 HOSTNAME certmonger[18411]: 2017-12-21 13:25:36 
[18411] Unable to set well-known bus name 
"org.fedorahosted.certmonger": Connection ":1.4" is not allowed to 
own the service "org.fedora

Dec 21 13:25:36 HOSTNAME certmonger[18411]: Error connecting to D-Bus.
Dec 21 13:25:36 HOSTNAME systemd[1]: certmonger.service: main process 
exited, code=exited, status=1/FAILURE
Dec 21 13:25:36 HOSTNAME systemd[1]: Failed to start Certificate 
monitoring and PKI enrollment.
Dec 21 13:25:36 HOSTNAME systemd[1]: Unit certmonger.service entered 
failed state.



Does anyone know how to deal with it?
Thanks!

--
Best regards, Andrew.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org



Hi,

you are not the first one seeing this issue (see BZ 1504688 [1]) but 
it was not investigated because we were not able to reproduce.


The config file for certmonger/dbus is stored in 
/etc/dbus-1/system.d/certmonger.conf, so I would start by checking 
that its content is OK.


The bus name seems to be already owned by another process, you may try 
to restart the dbus service in case some internal data were not 
properly cleaned: sudo systemctl restart dbus


Flo

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1504688
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AD Trust

2018-01-03 Thread Николай Савельев via FreeIPA-users 
I have ipa domain with AD trust. id ad_users@ad_domain works. su 
ad_users@ad_domain works.
kinit ad_users@ad_domain don't works in ubuntu but works in centos 7
What?
/etc/krb5.conf is the same.
ipa servers work on centos 7. Ipa client work on ubuntu 14.04 or 16.04.
I also can't get access from AD member windos to SAMBA shares on IPA members 
linux,

What can i do?





Oh, I forgot to say about error!
For kinit AD user i get:
kinit: KDC reply did not match expectations while getting initial credentials

My krb5.conf:


includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = FS.LAN
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  dns_canonicalize_hostname = false
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  FS.LAN = {
pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .fs.lan = FS.LAN
  fs.lan = FS.LAN

-- 
С уважением, Николай.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org