[Freeipa-users] Concerning the krb5.conf
bahan w
bahanw042014 at gmail.com
Fri Aug 7 14:25:29 UTC 2015
Hello !
We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.
On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :
###
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = <MYREALM>
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
<MYREALM> = {
kdc = host1.<mydomain>:88
kdc = host2.<mydomain>:88
kdc = host3.<mydomain>:88
master_kdc = host2.<mydomain>:88
admin_server = host2.<mydomain>:749
default_domain <mydomain>
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.<mydomain> = <MYREALM>
<mydomain> = <MYREALM>
.<myrealm> = <MYREALM>
<myrealm> = <MYREALM>
###
host1 is a physical machine
host2 and host3 are VM.
So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?
Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?
Q3. Does the two last lines make sense ? I mean what is the exact usage of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?
Thank you in advance for your answers.
Best regards.
Bahan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150807/82d38f2d/attachment.htm>
More information about the Freeipa-users
mailing list