[Freeipa-users] errors when one ipa server down
Michael Mercier
mmercier at gmail.com
Thu Sep 6 14:40:26 UTC 2012
Hello,
I have experienced some odd connectivity issues using MMR with FreeIPA (all systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup using MMR.
[root at ipaserver ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root at ipaserver ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
[root at ipaserver2 ~]#ipa-replica-manage list
ipaserver.mpls.local: master
ipaserver2.mpls.local: master
[root at ipaserver2 ~]# rpm -qa|grep ipa
ipa-client-2.2.0-16.el6.x86_64
ipa-server-2.2.0-16.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-admintools-2.2.0-16.el6.x86_64
ipa-server-selinux-2.2.0-16.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
[mike at ipaclient ~]$ rpm -qa|grep ipa
ipa-admintools-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-python-2.2.0-16.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
libipa_hbac-1.8.0-32.el6.x86_64
I have a webserver (zenoss) using kerberos authentication.
[root at zenoss ~]# rpm -qa|grep ipa
libipa_hbac-1.8.0-32.el6.x86_64
libipa_hbac-python-1.8.0-32.el6.x86_64
ipa-python-2.2.0-16.el6.x86_64
ipa-client-2.2.0-16.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
ipa-admintools-2.2.0-16.el6.x86_64
<Location />
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodK5Passwd Off
KrbAuthRealms MPLS.LOCAL
KrbSaveCredentials on
KrbServiceName HTTP
Krb5KeyTab /etc/http/conf.d/http.keytab
AuthLDAPUrl "ldap://ipaserver.mpls.local ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
RequestHeader set X_REMOTE_USER %{remoteUser}e
require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
</Location>
With both ipaserver and ipaserver2 'up', if I connect to https://zenoss.mpls.local from ipaclient using firefox, I am successfully connected. If on ipaserver I do a 'ifdown eth0' and attempt another connection, it fails. I have also noticed the following:
1. I am unable to use the ipaserver2 management interface when ipaserver is unavailable.
2. It takes a longer period of time to do a kinit
If the I then perform:
[root at ipaserver ~]#ifup eth0
[root at ipaserver2 ~]#ifdown eth0
[mike at ipaclient ~]$kinit
kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials
[root at ipaserver2 ~]#ifup eth0
[mike at ipaclient ~]$ kinit
Password for mike at MPLS.LOCAL:
[mike at ipaclient ~]$
[root at ipaserver2 ~]#ifdown eth0
... wait number of minutes
ipaclient screen locks - type password - after a short delay (~7 seconds) screen unlock compeletes
[mike at ipaclient ~]$kinit
Password for mike at MPLS.LOCAL:
[mike at ipaclient ~]$
Any ideas?
Thanks,
Mike
More information about the Freeipa-users
mailing list