[Freeipa-users] Concerning the krb5.conf

Alexander Bokovoy abokovoy at redhat.com
Fri Aug 7 21:05:10 UTC 2015 

On Fri, 07 Aug 2015, bahan w wrote:
>Hello !
>
>We are using freeipa version 3 and we are encountering a problem in our
>environment.
>We have one master kdc and two replicas.
>
>On the different linux servers on our environment, we have the following
>krb5.conf (I modified the hostname for NDA) :
>
>###
>#File modified by ipa-client-install
>
>includedir /var/lib/sss/pubconf/krb5.include.d/
>
>[libdefaults]
> default_realm = <MYREALM>
> dns_lookup_realm = false
> dns_lookup_kdc = false
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>
>[realms]
>  <MYREALM> = {
>    kdc = host1.<mydomain>:88
>    kdc = host2.<mydomain>:88
>    kdc = host3.<mydomain>:88
>    master_kdc = host2.<mydomain>:88
>    admin_server = host2.<mydomain>:749
>    default_domain <mydomain>
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>  }
>
>[domain_realm]
>  .<mydomain> = <MYREALM>
>  <mydomain> = <MYREALM>
>  .<myrealm> = <MYREALM>
>  <myrealm> = <MYREALM>
>###
>
>host1 is a physical machine
>host2 and host3 are VM.
>
>So I have some questions :
>Q1 - Does it make sense to put the line master_kdc and admin_server to the
>host2, which is a VM instead of the host1 which is a physical machine ?
According to manual page of 'krb5.conf',
-------
master_kdc:
Identifies  the  master  KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC, in
case the user's password has just been changed, and the updated database
has not been propagated to the slave servers yet.
-------

'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
actions in IPA.


>Q2 - When I try to connect to the UI of host1, I can enter my
>login/password and it works. When I try to connect to the UI of host2, I
>have an error message saying my password is incorrect. When I try to
>connect to the UI of host3, it works. Does it mean host1 and host3 are
>synchronized but host2 is not ?
Most likely, yes.


>Q3. Does the two last lines make sense ? I mean what is the exact usage of
>the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>server with the domain listed in this list, then I will try to contact the
>realm associated ?
Since you disabled DNS discovery of realm based on the DNS domain,
Kerberos library will perform some logic to find out which realm
corresponds to the domain. domain_realm section helps here.

krb5.conf manual page has clear explanation how the section is designed
to work.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list