[Freeipa-users] IPA server failover
Alexander Bokovoy
abokovoy at redhat.com
Thu Sep 24 05:17:26 UTC 2015
On Wed, 23 Sep 2015, Andy Thompson wrote:
>I've got all of my environments setup with two IPA servers. I'm
>fighting intermittent problems with krb5kdc crashing on them in all of
>my environments and I've opened a ticket with Redhat on that. What I
>can't figure out though is why the clients will not fail over to the
>second functioning server in the domain
>
>My sssd.conf files are all pretty generic from the install with minimal
>modification to add a couple settings.
>
>[domain/mhbe.lin]
>
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = mhbe.lin
>id_provider = ipa
>auth_provider = ipa
>access_provider = ipa
>ipa_hostname = mdhixproddb01.mhbe.lin
>chpass_provider = ipa
>ipa_server = _srv_, mdhixprodipa01.mhbe.lin
>ldap_tls_cacert = /etc/ipa/ca.crt
>[sssd]
>default_domain_suffix = mhbe.local
>services = nss, sudo, pam, ssh
>config_file_version = 2
>
>domains = mhbe.lin
>[nss]
>default_shell = /bin/bash
>homedir_substring = /home
>debug_level = 7
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>[pac]
>
>[ifp]
>
>I thought the _srv_ would force it to use dns and both servers are
>round robined when digging the _kerberos records from DNS. So I don't
>understand why it's not working
ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are
using /etc/krb5.conf for hints where to find KDCs.
A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing
'kdc = ' for specific realm would cause Kerberos clients to do DNS
discovery using SRV records.
If multiple 'kdc = ...' values are specified in the realm definition,
Kerberos clients will fall over to the next one in the list in case of a
failure.
When ipa-client-install is run, we configure krb5.conf without explicit
KDCs if DNS discovery of Kerberos was successful which should take care
of SRV record-based discovery of KDCs.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list