[Freeipa-users] errors when one ipa server down

Michael Mercier mmercier at gmail.com
Thu Sep 6 14:40:26 UTC 2012 

Hello,

I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3).  I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR.

[root at ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root at ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64


[root at ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root at ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch


[mike at ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64


I have a webserver (zenoss) using kerberos authentication.  

[root at zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64

<Location />
   SSLRequireSSL
   AuthType Kerberos
   AuthName "Kerberos Login"

   KrbMethodK5Passwd Off
   KrbAuthRealms MPLS.LOCAL
   KrbSaveCredentials on
   KrbServiceName HTTP
   Krb5KeyTab /etc/http/conf.d/http.keytab

   AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
   RequestHeader set X_REMOTE_USER %{remoteUser}e
   require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
</Location>


With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected.  If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails.  I have also noticed the following:

1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable.
2. It takes a longer period of time to do a kinit

If the I then perform:
[root at ipaserver ~]#ifup eth0

[root at ipaserver2 ~]#ifdown eth0

[mike at ipaclient ~]$kinit 
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials

[root at ipaserver2 ~]#ifup eth0

[mike at ipaclient ~]$ kinit
Password for mike at MPLS.LOCAL: 
[mike at ipaclient ~]$

[root at ipaserver2 ~]#ifdown eth0

... wait number of minutes

ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes

[mike at ipaclient ~]$kinit
Password for mike at MPLS.LOCAL: 
[mike at ipaclient ~]$

Any ideas?

Thanks,
Mike

More information about the Freeipa-users mailing list