[Freeipa-users] Concerning the krb5.conf

Tue Aug 11 06:45:16 UTC 2015

On Mon, 10 Aug 2015, bahan w wrote:
>Hello.
>
>I don't know if you receive my previous mail, but thank you for your answer.
>
>I have two additionnal question then :
>- Concerning the master_kdc line, is it better to put here the physical
>machine or even to remove it if it is optional ?
I don't think it ever matters as it only used for fallback reasons.

>- Do you know how I can check which one of these three servers is currently
>used per server with this krb5.conf ? I need to check how I can
>resynchronize the last server.
set KRB5_TRACE=/dev/stderr  in the execution environment and all
Kerberos code will start explaining what it does.

For example,
  KRB5_TRACE=/dev/stderr kinit
will show which server kinit will contact.

>
>Best regards.
>
>Bahan
>
>On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On Fri, 07 Aug 2015, bahan w wrote:
>>
>>> Hello !
>>>
>>> We are using freeipa version 3 and we are encountering a problem in our
>>> environment.
>>> We have one master kdc and two replicas.
>>>
>>> On the different linux servers on our environment, we have the following
>>> krb5.conf (I modified the hostname for NDA) :
>>>
>>> ###
>>> #File modified by ipa-client-install
>>>
>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>
>>> [libdefaults]
>>> default_realm = <MYREALM>
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = false
>>>  rdns = false
>>>  ticket_lifetime = 24h
>>>  forwardable = yes
>>>
>>> [realms]
>>>  <MYREALM> = {
>>>    kdc = host1.<mydomain>:88
>>>    kdc = host2.<mydomain>:88
>>>    kdc = host3.<mydomain>:88
>>>    master_kdc = host2.<mydomain>:88
>>>    admin_server = host2.<mydomain>:749
>>>    default_domain <mydomain>
>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>  }
>>>
>>> [domain_realm]
>>>  .<mydomain> = <MYREALM>
>>>  <mydomain> = <MYREALM>
>>>  .<myrealm> = <MYREALM>
>>>  <myrealm> = <MYREALM>
>>> ###
>>>
>>> host1 is a physical machine
>>> host2 and host3 are VM.
>>>
>>> So I have some questions :
>>> Q1 - Does it make sense to put the line master_kdc and admin_server to the
>>> host2, which is a VM instead of the host1 which is a physical machine ?
>>>
>> According to manual page of 'krb5.conf',
>> -------
>> master_kdc:
>> Identifies  the  master  KDC(s). Currently, this tag is used in only
>> one case: If an attempt to get credentials fails because of an invalid
>> password, the client software will attempt to contact the master KDC, in
>> case the user's password has just been changed, and the updated database
>> has not been propagated to the slave servers yet.
>> -------
>>
>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
>> actions in IPA.
>>
>>
>> Q2 - When I try to connect to the UI of host1, I can enter my
>>> login/password and it works. When I try to connect to the UI of host2, I
>>> have an error message saying my password is incorrect. When I try to
>>> connect to the UI of host3, it works. Does it mean host1 and host3 are
>>> synchronized but host2 is not ?
>>>
>> Most likely, yes.
>>
>>
>> Q3. Does the two last lines make sense ? I mean what is the exact usage of
>>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>>> server with the domain listed in this list, then I will try to contact the
>>> realm associated ?
>>>
>> Since you disabled DNS discovery of realm based on the DNS domain,
>> Kerberos library will perform some logic to find out which realm
>> corresponds to the domain. domain_realm section helps here.
>>
>> krb5.conf manual page has clear explanation how the section is designed
>> to work.
>>
>> --
>> / Alexander Bokovoy
>>

>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy