Re: [Freeipa-users] FreeIPA redundant server login problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/14/2010 12:07 PM, Dmitri Pal wrote: > If you use SSSD instead of pam_krb5 then kerberos configuration file is > ignored. > SSSD uses only the SSSD config file. > This statement is not 100% true, unfortunately. The SSSD provides a Kerberos locator plugin that answers requests for most of this information, but it cannot handle all options that are available to the krb5.conf (since the locator API does not support them). Furthermore, there exist some applications (I forget which at this moment) that will read the krb5.conf directly instead of using the locator API. As such, it is unfortunately necessary that both sssd.conf and krb5.conf be properly configured for the host system. If you use authconfig 6.1.4 or later (on Red Hat and Fedora systems) to set up LDAP/Kerberos, both of these files are automatically configured properly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxEQ8kACgkQeiVVYja6o6PPTQCfXGJpGTC8Rva69XU4rWQIFqV1 5/QAmwUabdnbzmJA+df+bRSxfeyW0Uu7 =1jc+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA redundant server login problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/14/2010 07:43 PM, Dmitri Pal wrote: >> UPDATE: Have just received Jakub Hrozek email (Thanks Jakub). Adding >> > fileserver1, fileserver2 appears to have fixed the problem. However, >> > this means that I have to edit this file on all clients if I add a new >> > IPA server. Is there any way around this? >> > >> > > https://fedorahosted.org/sssd/ticket/367 > By using service records, you will still need to update the config file on all clients - but just this once, any further configuration changes can be made on the server in a centralized manner. Aside from the ticket Dmitri mentioned, other useful resource to get you started might be the "SERVICE DISCOVERY" section of either sssd-ldap or sssd-krb5. Also, I'm not sure about FreeIPA v1, but v2 will have SRV records by default on the server side. Hope this helps, Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkw+/BUACgkQHsardTLnvCUIXQCdH3BZgPCy4IHRpvpFKnWEOHBV 0ocAn2L0AK3giELVvmvBfZf2nd5et7On =tkpC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA redundant server login problems
Dan Scott wrote: > Hi, > > On Wed, Jul 14, 2010 at 12:07, Dmitri Pal wrote: > >> If you use SSSD instead of pam_krb5 then kerberos configuration file is >> ignored. >> SSSD uses only the SSSD config file. >> > > Great, thanks. > > >>> The /etc/sssd/sssd.conf file contains: >>> >>> [domain/default] >>> ldap_id_use_start_tls = False >>> cache_credentials = False >>> auth_provider = krb5 >>> debug_level = 0 >>> krb5_kpasswd = ldap.example.com:749 >>> ldap_schema = rfc2307bis >>> krb5_realm = EXAMPLE.COM >>> ldap_search_base = dc=example,dc=com >>> chpass_provider = krb5 >>> id_provider = ldap >>> min_id = 500 >>> ldap_uri = ldap://ldap.example.com/ >>> krb5_kdcip = ldap.example.com:88 >>> >>> >> Shouldn't that be a fileserver1 or fileserver2? >> > > Well yes it could (should?) be, but I want 'both' so that the > redundancy works. Can I have 2 krb5_kdcip entries? If I set it to one > or the other then the redundant server won't work, will it? > > UPDATE: Have just received Jakub Hrozek email (Thanks Jakub). Adding > fileserver1, fileserver2 appears to have fixed the problem. However, > this means that I have to edit this file on all clients if I add a new > IPA server. Is there any way around this? > > https://fedorahosted.org/sssd/ticket/367 > Thanks, > > Dan > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA redundant server login problems
Hi, On Wed, Jul 14, 2010 at 12:07, Dmitri Pal wrote: > If you use SSSD instead of pam_krb5 then kerberos configuration file is > ignored. > SSSD uses only the SSSD config file. Great, thanks. >> The /etc/sssd/sssd.conf file contains: >> >> [domain/default] >> ldap_id_use_start_tls = False >> cache_credentials = False >> auth_provider = krb5 >> debug_level = 0 >> krb5_kpasswd = ldap.example.com:749 >> ldap_schema = rfc2307bis >> krb5_realm = EXAMPLE.COM >> ldap_search_base = dc=example,dc=com >> chpass_provider = krb5 >> id_provider = ldap >> min_id = 500 >> ldap_uri = ldap://ldap.example.com/ >> krb5_kdcip = ldap.example.com:88 >> > > Shouldn't that be a fileserver1 or fileserver2? Well yes it could (should?) be, but I want 'both' so that the redundancy works. Can I have 2 krb5_kdcip entries? If I set it to one or the other then the redundant server won't work, will it? UPDATE: Have just received Jakub Hrozek email (Thanks Jakub). Adding fileserver1, fileserver2 appears to have fixed the problem. However, this means that I have to edit this file on all clients if I add a new IPA server. Is there any way around this? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA redundant server login problems
Dan Scott wrote: > Hi, > > I have 2 FreeIPA servers (Version 1). I am upgrading the slave server > from Fedora 11 to 13, so I have shut it down. My client (Fedora 13, > using SSSD) cannot authenticate against the master FreeIPA server and > gives the following message: > > pam_sss(sshd:auth): system info: [Cannot contact any KDC for requested realm] > > I'm very confused about the role of the /etc/krb5.conf and > /etc/sssd/sssd.conf files. They appear to contain very similar > information and I'm not sure which is used by default. > If you use SSSD instead of pam_krb5 then kerberos configuration file is ignored. SSSD uses only the SSSD config file. > My krb5.conf file contains the following: > > > [realms] > EXAMPLE.COM = { > kdc = fileserver1.example.com:88 > kdc = fileserver2.example.com:88 > admin_server = fileserver1.example.com:749 > default_domain = example.com > } > > fileserver2 is the master and fileserver1 the slave. Is it possible to > have 2 entries for admin_server? If not, then how do I correctly > configure multiple FreeIPA servers. I have tried changing admin_server > to fileserver2, but no change. > > The /etc/sssd/sssd.conf file contains: > > [domain/default] > ldap_id_use_start_tls = False > cache_credentials = False > auth_provider = krb5 > debug_level = 0 > krb5_kpasswd = ldap.example.com:749 > ldap_schema = rfc2307bis > krb5_realm = EXAMPLE.COM > ldap_search_base = dc=example,dc=com > chpass_provider = krb5 > id_provider = ldap > min_id = 500 > ldap_uri = ldap://ldap.example.com/ > krb5_kdcip = ldap.example.com:88 > Shouldn't that be a fileserver1 or fileserver2? > ldap_tls_cacertdir = /etc/openldap/cacerts > > where ldap.example.com resolves to both fileserver1 and fileserver2 in > a round-robin. > > Can anyone explain the role of krb5.conf and sssd.conf and provide any > ideas for why I cannot authenticate against fileserver2? > > Thanks, > > Dan Scott > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA redundant server login problems
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/14/2010 05:45 PM, Dan Scott wrote: > [domain/default] > ldap_id_use_start_tls = False > cache_credentials = False > auth_provider = krb5 > debug_level = 0 > krb5_kpasswd = ldap.example.com:749 > ldap_schema = rfc2307bis > krb5_realm = EXAMPLE.COM > ldap_search_base = dc=example,dc=com > chpass_provider = krb5 > id_provider = ldap > min_id = 500 > ldap_uri = ldap://ldap.example.com/ > krb5_kdcip = ldap.example.com:88 > ldap_tls_cacertdir = /etc/openldap/cacerts > > where ldap.example.com resolves to both fileserver1 and fileserver2 in > a round-robin. > That sounds like https://fedorahosted.org/sssd/ticket/552 to me. Since you have two KDCs running, can you try putting: krb5_kdcip = fileserver1.example.com, fileserver2.example.com into SSSD config file instead and restarting the sssd service? We don't support fail over on multiple A records for the same hostname. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkw94WkACgkQHsardTLnvCXLTACbBB3I23RNMyP09snSz8noHL4p RfAAoM/5hop+X2boP8nWfyXZJTfBcDat =hU70 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users