[Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Jakub Hrozek
jhrozek at redhat.com
Wed Apr 9 06:41:06 UTC 2014
On Tue, Apr 08, 2014 at 05:22:46PM -0700, Shree wrote:
> Not sure if anyone read my last reply I was still not having any luck. Anyways I found the file which was causing it to contact the old IP address just a few minutes ago. Though I would share with you in case someone else may need it. I started going through the directory listed in the krb5.conf file
>
> [ includedir /var/lib/sss/pubconf/krb5.include.d/ ]
>
> Just one level up there was a file called kdcinfo.MYDOMAIN.COM which had the old IP address. I changed it to the new one and kinit started working fine. I was able to install ipa-client without any issues. I still cannot figure out why only one of my several servers behaved this way.
>
> Thanks
This file is generated by SSSD and tells the IP address of a KDC that
the SSSD discovered to libkrb5. The reason is that you want applications
that rely on Kerberos configuration only (for example kinit) to be able
to use the KDCs SSSD uses without having to duplicate information in
both sssd.conf and krb5.conf and also make sure that both sssd and
libkrb5 really talk to the same server.
The file is normally generated when SSSD goes online after startup and
should be removed either when SSSD goes offline for one reason or
another or when SSSD is shut down.
If the file was around even if SSSD was not running, then I'd say it was
a bug. But I admit I haven't read this whole thread, so I'm not 100%
what was going on before.
More information about the Freeipa-users
mailing list