[Freeipa-users] FreeIPA redundant server login problems
Dan Scott
danieljamesscott at gmail.com
Wed Jul 14 15:45:22 UTC 2010
Hi,
I have 2 FreeIPA servers (Version 1). I am upgrading the slave server
from Fedora 11 to 13, so I have shut it down. My client (Fedora 13,
using SSSD) cannot authenticate against the master FreeIPA server and
gives the following message:
pam_sss(sshd:auth): system info: [Cannot contact any KDC for requested realm]
I'm very confused about the role of the /etc/krb5.conf and
/etc/sssd/sssd.conf files. They appear to contain very similar
information and I'm not sure which is used by default.
My krb5.conf file contains the following:
[realms]
EXAMPLE.COM = {
kdc = fileserver1.example.com:88
kdc = fileserver2.example.com:88
admin_server = fileserver1.example.com:749
default_domain = example.com
}
fileserver2 is the master and fileserver1 the slave. Is it possible to
have 2 entries for admin_server? If not, then how do I correctly
configure multiple FreeIPA servers. I have tried changing admin_server
to fileserver2, but no change.
The /etc/sssd/sssd.conf file contains:
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = False
auth_provider = krb5
debug_level = 0
krb5_kpasswd = ldap.example.com:749
ldap_schema = rfc2307bis
krb5_realm = EXAMPLE.COM
ldap_search_base = dc=example,dc=com
chpass_provider = krb5
id_provider = ldap
min_id = 500
ldap_uri = ldap://ldap.example.com/
krb5_kdcip = ldap.example.com:88
ldap_tls_cacertdir = /etc/openldap/cacerts
where ldap.example.com resolves to both fileserver1 and fileserver2 in
a round-robin.
Can anyone explain the role of krb5.conf and sssd.conf and provide any
ideas for why I cannot authenticate against fileserver2?
Thanks,
Dan Scott
More information about the Freeipa-users
mailing list