[Freeipa-users] Concerning the krb5.conf
bahan w
bahanw042014 at gmail.com
Tue Aug 11 06:50:19 UTC 2015
Wow thank you Alexander for this information !
Best regards.
Gwenael Le Barzic
Le 11 août 2015 08:45, "Alexander Bokovoy" <abokovoy at redhat.com> a écrit :
> On Mon, 10 Aug 2015, bahan w wrote:
>
>> Hello.
>>
>> I don't know if you receive my previous mail, but thank you for your
>> answer.
>>
>> I have two additionnal question then :
>> - Concerning the master_kdc line, is it better to put here the physical
>> machine or even to remove it if it is optional ?
>>
> I don't think it ever matters as it only used for fallback reasons.
>
> - Do you know how I can check which one of these three servers is currently
>> used per server with this krb5.conf ? I need to check how I can
>> resynchronize the last server.
>>
> set KRB5_TRACE=/dev/stderr in the execution environment and all
> Kerberos code will start explaining what it does.
>
> For example,
> KRB5_TRACE=/dev/stderr kinit
> will show which server kinit will contact.
>
>
>> Best regards.
>>
>> Bahan
>>
>> On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>> On Fri, 07 Aug 2015, bahan w wrote:
>>>
>>> Hello !
>>>>
>>>> We are using freeipa version 3 and we are encountering a problem in our
>>>> environment.
>>>> We have one master kdc and two replicas.
>>>>
>>>> On the different linux servers on our environment, we have the following
>>>> krb5.conf (I modified the hostname for NDA) :
>>>>
>>>> ###
>>>> #File modified by ipa-client-install
>>>>
>>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>>
>>>> [libdefaults]
>>>> default_realm = <MYREALM>
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = false
>>>> rdns = false
>>>> ticket_lifetime = 24h
>>>> forwardable = yes
>>>>
>>>> [realms]
>>>> <MYREALM> = {
>>>> kdc = host1.<mydomain>:88
>>>> kdc = host2.<mydomain>:88
>>>> kdc = host3.<mydomain>:88
>>>> master_kdc = host2.<mydomain>:88
>>>> admin_server = host2.<mydomain>:749
>>>> default_domain <mydomain>
>>>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>> }
>>>>
>>>> [domain_realm]
>>>> .<mydomain> = <MYREALM>
>>>> <mydomain> = <MYREALM>
>>>> .<myrealm> = <MYREALM>
>>>> <myrealm> = <MYREALM>
>>>> ###
>>>>
>>>> host1 is a physical machine
>>>> host2 and host3 are VM.
>>>>
>>>> So I have some questions :
>>>> Q1 - Does it make sense to put the line master_kdc and admin_server to
>>>> the
>>>> host2, which is a VM instead of the host1 which is a physical machine ?
>>>>
>>>> According to manual page of 'krb5.conf',
>>> -------
>>> master_kdc:
>>> Identifies the master KDC(s). Currently, this tag is used in only
>>> one case: If an attempt to get credentials fails because of an invalid
>>> password, the client software will attempt to contact the master KDC, in
>>> case the user's password has just been changed, and the updated database
>>> has not been propagated to the slave servers yet.
>>> -------
>>>
>>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
>>> actions in IPA.
>>>
>>>
>>> Q2 - When I try to connect to the UI of host1, I can enter my
>>>
>>>> login/password and it works. When I try to connect to the UI of host2, I
>>>> have an error message saying my password is incorrect. When I try to
>>>> connect to the UI of host3, it works. Does it mean host1 and host3 are
>>>> synchronized but host2 is not ?
>>>>
>>>> Most likely, yes.
>>>
>>>
>>> Q3. Does the two last lines make sense ? I mean what is the exact usage
>>> of
>>>
>>>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>>>> server with the domain listed in this list, then I will try to contact
>>>> the
>>>> realm associated ?
>>>>
>>>> Since you disabled DNS discovery of realm based on the DNS domain,
>>> Kerberos library will perform some logic to find out which realm
>>> corresponds to the domain. domain_realm section helps here.
>>>
>>> krb5.conf manual page has clear explanation how the section is designed
>>> to work.
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150811/83117027/attachment.htm>
More information about the Freeipa-users
mailing list