[Freeipa-users] Concerning the krb5.conf
bahan w
bahanw042014 at gmail.com
Mon Aug 10 09:34:23 UTC 2015
Hello.
I don't know if you receive my previous mail, but thank you for your answer.
I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?
- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.
Best regards.
Bahan
On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Fri, 07 Aug 2015, bahan w wrote:
>
>> Hello !
>>
>> We are using freeipa version 3 and we are encountering a problem in our
>> environment.
>> We have one master kdc and two replicas.
>>
>> On the different linux servers on our environment, we have the following
>> krb5.conf (I modified the hostname for NDA) :
>>
>> ###
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = <MYREALM>
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> <MYREALM> = {
>> kdc = host1.<mydomain>:88
>> kdc = host2.<mydomain>:88
>> kdc = host3.<mydomain>:88
>> master_kdc = host2.<mydomain>:88
>> admin_server = host2.<mydomain>:749
>> default_domain <mydomain>
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> }
>>
>> [domain_realm]
>> .<mydomain> = <MYREALM>
>> <mydomain> = <MYREALM>
>> .<myrealm> = <MYREALM>
>> <myrealm> = <MYREALM>
>> ###
>>
>> host1 is a physical machine
>> host2 and host3 are VM.
>>
>> So I have some questions :
>> Q1 - Does it make sense to put the line master_kdc and admin_server to the
>> host2, which is a VM instead of the host1 which is a physical machine ?
>>
> According to manual page of 'krb5.conf',
> -------
> master_kdc:
> Identifies the master KDC(s). Currently, this tag is used in only
> one case: If an attempt to get credentials fails because of an invalid
> password, the client software will attempt to contact the master KDC, in
> case the user's password has just been changed, and the updated database
> has not been propagated to the slave servers yet.
> -------
>
> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
> actions in IPA.
>
>
> Q2 - When I try to connect to the UI of host1, I can enter my
>> login/password and it works. When I try to connect to the UI of host2, I
>> have an error message saying my password is incorrect. When I try to
>> connect to the UI of host3, it works. Does it mean host1 and host3 are
>> synchronized but host2 is not ?
>>
> Most likely, yes.
>
>
> Q3. Does the two last lines make sense ? I mean what is the exact usage of
>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>> server with the domain listed in this list, then I will try to contact the
>> realm associated ?
>>
> Since you disabled DNS discovery of realm based on the DNS domain,
> Kerberos library will perform some logic to find out which realm
> corresponds to the domain. domain_realm section helps here.
>
> krb5.conf manual page has clear explanation how the section is designed
> to work.
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150810/30618739/attachment.htm>
More information about the Freeipa-users
mailing list