[Freeipa-users] confused about replica role and use
Karl Forner
karl.forner at gmail.com
Wed Dec 16 17:34:58 UTC 2015
> SSSD mostly manages discovery of servers, it is normally configure with
> the name _srv_ + an actual name as fallback.
> SSSD also feeds the information to kerberos libraries via a plugin.
ok, I have this line in my /etc/sssd/sssd.conf:
ipa_server = _srv_, ipa.example.com
How do I check the current ipa_servers picked up by sssd ?
How do the info is fed to kerberos libraries ?
Because I set up a replica, using the adelton docker, which seems to work
fine. I can use its DNS, access its web UI, the changes are dynamically
updated both ways.
So far so good.
But if suddenly stops the freeIPA master, and try a kdestroy then kinit on
my client, I get
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial
credentials
Looking at /etc/krb5.conf, I see hardcoded values:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
EXAMPLE.COM = {
kdc = ipa.example.com:88
master_kdc = ipa.example.com:88
admin_server = ipa.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.EXAMPLE.com = EXAMPLE.COM
EXAMPLE.com = EXAMPLE.COM
the same for /etc/ipa/default.conf:
#File modified by ipa-client-install
[global]
basedn = dc=example,dc=com
realm = EXAMPLE.COM
domain = example.com
server = ipah.example.com
xmlrpc_uri = https://ipah.example.com/ipa/xml
enable_ra = True
Is this expected ?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151216/e954d3c5/attachment.htm>
More information about the Freeipa-users
mailing list