<div dir="ltr"><div><div><div><div><div><div><br>Hello.<br><br></div></div>I don't know if you receive my previous mail, but thank you for your answer.<br><br></div>I have two additionnal question then :<br></div>- Concerning the master_kdc line, is it better to put here the physical machine or even to remove it if it is optional ?<br>- Do you know how I can check which one of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server.<br><br></div>Best regards.<br><br></div>Bahan<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Fri, 07 Aug 2015, bahan w wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hello !<br> <br> We are using freeipa version 3 and we are encountering a problem in our<br> environment.<br> We have one master kdc and two replicas.<br> <br> On the different linux servers on our environment, we have the following<br> krb5.conf (I modified the hostname for NDA) :<br> <br> ###<br> #File modified by ipa-client-install<br> <br> includedir /var/lib/sss/pubconf/krb5.include.d/<br> <br> [libdefaults]<br> default_realm = <MYREALM><br> dns_lookup_realm = false<br> dns_lookup_kdc = false<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br> <br> [realms]<br> <MYREALM> = {<br> kdc = host1.<mydomain>:88<br> kdc = host2.<mydomain>:88<br> kdc = host3.<mydomain>:88<br> master_kdc = host2.<mydomain>:88<br> admin_server = host2.<mydomain>:749<br> default_domain <mydomain><br> pkinit_anchors = FILE:/etc/ipa/ca.crt<br> }<br> <br> [domain_realm]<br> .<mydomain> = <MYREALM><br> <mydomain> = <MYREALM><br> .<myrealm> = <MYREALM><br> <myrealm> = <MYREALM><br> ###<br> <br> host1 is a physical machine<br> host2 and host3 are VM.<br> <br> So I have some questions :<br> Q1 - Does it make sense to put the line master_kdc and admin_server to the<br> host2, which is a VM instead of the host1 which is a physical machine ?<br> </blockquote></div></div> According to manual page of 'krb5.conf',<br> -------<br> master_kdc:<br> Identifies the master KDC(s). Currently, this tag is used in only<br> one case: If an attempt to get credentials fails because of an invalid<br> password, the client software will attempt to contact the master KDC, in<br> case the user's password has just been changed, and the updated database<br> has not been propagated to the slave servers yet.<br> -------<br> <br> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day<br> actions in IPA.<span class=""><br> <br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Q2 - When I try to connect to the UI of host1, I can enter my<br> login/password and it works. When I try to connect to the UI of host2, I<br> have an error message saying my password is incorrect. When I try to<br> connect to the UI of host3, it works. Does it mean host1 and host3 are<br> synchronized but host2 is not ?<br> </blockquote></span> Most likely, yes.<span class=""><br> <br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Q3. Does the two last lines make sense ? I mean what is the exact usage of<br> the paragraph [domain_realm] ? Does it mean : if I try to connect to a<br> server with the domain listed in this list, then I will try to contact the<br> realm associated ?<br> </blockquote></span> Since you disabled DNS discovery of realm based on the DNS domain,<br> Kerberos library will perform some logic to find out which realm<br> corresponds to the domain. domain_realm section helps here.<br> <br> krb5.conf manual page has clear explanation how the section is designed<br> to work.<span class="HOEnZb"><font color="#888888"><br> <br> -- <br> / Alexander Bokovoy<br> </font></span></blockquote></div><br></div></div></div></div>