[Freeipa-users] how to force switch to another kdc
Karl Forner
karl.forner at gmail.com
Tue Jan 5 18:54:23 UTC 2016
Thanks a lot, that works if I comment out the explicit reference to a
server name, and that I switch dns_lookup_kdc to true.
I think I understand why it was not working from the install:
I used the ipa-client-install with the option --server.
According to the man page, in the "Failover" section, I understand that
"DNS Autodiscovery" is enabled when no "fixed server was passed to the
installer", which makes sense a posteriori.
I think that closes my topic, thanks again for all the help I got !
On Tue, Jan 5, 2016 at 7:34 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>
>
> On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <natxo.asenjo at gmail.com>
> wrote:
>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = IPA.DOMAIN.TLD
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> IPA.DOMAIN.TLD = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> }
>>
>> [domain_realm]
>> .ipa.domain.tld = IPA.DOMAIN.TLD
>> ipa.domain.tld = IPA.DOMAIN.TLD
>>
>> ]$ cat /etc/krb5.conf
>>
>
> with this config I can reach any realm, by the way, provided it has srv
> records. It works for our AD forests as well.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160105/54bb5188/attachment.htm>
More information about the Freeipa-users
mailing list