[Freeipa-users] IPA server failover
Andy Thompson
Andy.Thompson at e-tcc.com
Thu Sep 24 14:16:17 UTC 2015
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: Thursday, September 24, 2015 9:50 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA server failover
>
> On 24.9.2015 15:29, Alexander Bokovoy wrote:
> > On Thu, 24 Sep 2015, Andy Thompson wrote:
> >>> -----Original Message-----
> >>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> >>> Sent: Thursday, September 24, 2015 1:17 AM
> >>> To: Andy Thompson <Andy.Thompson at e-tcc.com>
> >>> Cc: freeipa-users at redhat.com
> >>> Subject: Re: [Freeipa-users] IPA server failover
> >>>
> >>> On Wed, 23 Sep 2015, Andy Thompson wrote:
> >>> >I've got all of my environments setup with two IPA servers. I'm
> >>> >fighting intermittent problems with krb5kdc crashing on them in all
> >>> >of my environments and I've opened a ticket with Redhat on that.
> >>> >What I can't figure out though is why the clients will not fail
> >>> >over to the second functioning server in the domain
> >>> >
> >>> >My sssd.conf files are all pretty generic from the install with
> >>> >minimal modification to add a couple settings.
> >>> >
> >>> >[domain/mhbe.lin]
> >>> >
> >>> >cache_credentials = True
> >>> >krb5_store_password_if_offline = True ipa_domain = mhbe.lin
> >>> >id_provider = ipa auth_provider = ipa access_provider = ipa
> >>> >ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa
> >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
> >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services
> >>> >= nss, sudo, pam, ssh config_file_version = 2
> >>> >
> >>> >domains = mhbe.lin
> >>> >[nss]
> >>> >default_shell = /bin/bash
> >>> >homedir_substring = /home
> >>> >debug_level = 7
> >>> >[pam]
> >>> >
> >>> >[sudo]
> >>> >
> >>> >[autofs]
> >>> >
> >>> >[ssh]
> >>> >
> >>> >[pac]
> >>> >
> >>> >[ifp]
> >>> >
> >>> >I thought the _srv_ would force it to use dns and both servers are
> >>> >round robined when digging the _kerberos records from DNS. So I
> >>> >don't understand why it's not working
> >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries
> >>> are using /etc/krb5.conf for hints where to find KDCs.
> >>>
> >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing
> 'kdc = '
> >>> for specific realm would cause Kerberos clients to do DNS discovery
> >>> using SRV records.
> >>>
> >>
> >> Here are the contents of my krb conf with everything set to lookup
> >> and it doesn't appear to be working.
> >>
> >> includedir /var/lib/sss/pubconf/krb5.include.d/
> >>
> >> [libdefaults]
> >> default_realm = MHBE.LIN
> >> dns_lookup_realm = true
> >> dns_lookup_kdc = true
> >> rdns = false
> >> ticket_lifetime = 24h
> >> forwardable = yes
> >> udp_preference_limit = 0
> >>
> >>
> >> [realms]
> >> MHBE.LIN = {
> >> pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>
> >> }
> >>
> >>
> >> [domain_realm]
> >> .mhbe.lin = MHBE.LIN
> >> mhbe.lin = MHBE.LIN
> > I bet you have SSSD supplying you KDC info in
> > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
> > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
> >
> > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
> > see details in sssd-krb5(5).
>
I will look into adding this setting. Why is this not the default configuration by the client install?
> Also, I would recommend you to check SRV records in DNS:
>
> $ dig _kerberos._udp.mhbe.lin SRV
>
> It should list both servers (with non-zero priority).
>
Ok both servers are in there but they have a zero priority. Those are the default records added by the install.
-andy
More information about the Freeipa-users
mailing list