[Freeipa-users] FreeIPA redundant server login problems

Dmitri Pal dpal at redhat.com
Wed Jul 14 16:07:15 UTC 2010 

Dan Scott wrote:
> Hi,
>
> I have 2 FreeIPA servers (Version 1). I am upgrading the slave server
> from Fedora 11 to 13, so I have shut it down. My client (Fedora 13,
> using SSSD) cannot authenticate against the master FreeIPA server and
> gives the following message:
>
> pam_sss(sshd:auth): system info: [Cannot contact any KDC for requested realm]
>
> I'm very confused about the role of the /etc/krb5.conf and
> /etc/sssd/sssd.conf files. They appear to contain very similar
> information and I'm not sure which is used by default.
>   
If you use SSSD instead of pam_krb5 then kerberos configuration file is
ignored.
SSSD uses only the SSSD config file.


> My krb5.conf file contains the following:
>
>
> [realms]
>  EXAMPLE.COM = {
>   kdc = fileserver1.example.com:88
>   kdc = fileserver2.example.com:88
>   admin_server = fileserver1.example.com:749
>   default_domain = example.com
> }
>
> fileserver2 is the master and fileserver1 the slave. Is it possible to
> have 2 entries for admin_server? If not, then how do I correctly
> configure multiple FreeIPA servers. I have tried changing admin_server
> to fileserver2, but no change.
>
> The /etc/sssd/sssd.conf file contains:
>
> [domain/default]
> ldap_id_use_start_tls = False
> cache_credentials = False
> auth_provider = krb5
> debug_level = 0
> krb5_kpasswd = ldap.example.com:749
> ldap_schema = rfc2307bis
> krb5_realm = EXAMPLE.COM
> ldap_search_base = dc=example,dc=com
> chpass_provider = krb5
> id_provider = ldap
> min_id = 500
> ldap_uri = ldap://ldap.example.com/
> krb5_kdcip = ldap.example.com:88
>   

Shouldn't that be a fileserver1 or fileserver2?

> ldap_tls_cacertdir = /etc/openldap/cacerts
>
> where ldap.example.com resolves to both fileserver1 and fileserver2 in
> a round-robin.
>
> Can anyone explain the role of krb5.conf and sssd.conf and provide any
> ideas for why I cannot authenticate against fileserver2?
>
> Thanks,
>
> Dan Scott
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list