[Freeipa-users] Concerning the krb5.conf

bahan w bahanw042014 at gmail.com
Tue Aug 11 06:50:19 UTC 2015 

Wow thank you Alexander for this information !

Best regards.

Gwenael Le Barzic
Le 11 août 2015 08:45, "Alexander Bokovoy" <abokovoy at redhat.com> a écrit :

> On Mon, 10 Aug 2015, bahan w wrote:
>
>> Hello.
>>
>> I don't know if you receive my previous mail, but thank you for your
>> answer.
>>
>> I have two additionnal question then :
>> - Concerning the master_kdc line, is it better to put here the physical
>> machine or even to remove it if it is optional ?
>>
> I don't think it ever matters as it only used for fallback reasons.
>
> - Do you know how I can check which one of these three servers is currently
>> used per server with this krb5.conf ? I need to check how I can
>> resynchronize the last server.
>>
> set KRB5_TRACE=/dev/stderr  in the execution environment and all
> Kerberos code will start explaining what it does.
>
> For example,
>  KRB5_TRACE=/dev/stderr kinit
> will show which server kinit will contact.
>
>
>> Best regards.
>>
>> Bahan
>>
>> On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>>
>> On Fri, 07 Aug 2015, bahan w wrote:
>>>
>>> Hello !
>>>>
>>>> We are using freeipa version 3 and we are encountering a problem in our
>>>> environment.
>>>> We have one master kdc and two replicas.
>>>>
>>>> On the different linux servers on our environment, we have the following
>>>> krb5.conf (I modified the hostname for NDA) :
>>>>
>>>> ###
>>>> #File modified by ipa-client-install
>>>>
>>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>>
>>>> [libdefaults]
>>>> default_realm = <MYREALM>
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = false
>>>>  rdns = false
>>>>  ticket_lifetime = 24h
>>>>  forwardable = yes
>>>>
>>>> [realms]
>>>>  <MYREALM> = {
>>>>    kdc = host1.<mydomain>:88
>>>>    kdc = host2.<mydomain>:88
>>>>    kdc = host3.<mydomain>:88
>>>>    master_kdc = host2.<mydomain>:88
>>>>    admin_server = host2.<mydomain>:749
>>>>    default_domain <mydomain>
>>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>  }
>>>>
>>>> [domain_realm]
>>>>  .<mydomain> = <MYREALM>
>>>>  <mydomain> = <MYREALM>
>>>>  .<myrealm> = <MYREALM>
>>>>  <myrealm> = <MYREALM>
>>>> ###
>>>>
>>>> host1 is a physical machine
>>>> host2 and host3 are VM.
>>>>
>>>> So I have some questions :
>>>> Q1 - Does it make sense to put the line master_kdc and admin_server to
>>>> the
>>>> host2, which is a VM instead of the host1 which is a physical machine ?
>>>>
>>>> According to manual page of 'krb5.conf',
>>> -------
>>> master_kdc:
>>> Identifies  the  master  KDC(s). Currently, this tag is used in only
>>> one case: If an attempt to get credentials fails because of an invalid
>>> password, the client software will attempt to contact the master KDC, in
>>> case the user's password has just been changed, and the updated database
>>> has not been propagated to the slave servers yet.
>>> -------
>>>
>>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
>>> actions in IPA.
>>>
>>>
>>> Q2 - When I try to connect to the UI of host1, I can enter my
>>>
>>>> login/password and it works. When I try to connect to the UI of host2, I
>>>> have an error message saying my password is incorrect. When I try to
>>>> connect to the UI of host3, it works. Does it mean host1 and host3 are
>>>> synchronized but host2 is not ?
>>>>
>>>> Most likely, yes.
>>>
>>>
>>> Q3. Does the two last lines make sense ? I mean what is the exact usage
>>> of
>>>
>>>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>>>> server with the domain listed in this list, then I will try to contact
>>>> the
>>>> realm associated ?
>>>>
>>>> Since you disabled DNS discovery of realm based on the DNS domain,
>>> Kerberos library will perform some logic to find out which realm
>>> corresponds to the domain. domain_realm section helps here.
>>>
>>> krb5.conf manual page has clear explanation how the section is designed
>>> to work.
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150811/83117027/attachment.htm>

More information about the Freeipa-users mailing list