[Freeipa-users] IPA server failover

Andy Thompson Andy.Thompson at e-tcc.com
Thu Sep 24 12:48:58 UTC 2015 

> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Thursday, September 24, 2015 1:17 AM
> To: Andy Thompson <Andy.Thompson at e-tcc.com>
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA server failover
> 
> On Wed, 23 Sep 2015, Andy Thompson wrote:
> >I've got all of my environments setup with two IPA servers.  I'm
> >fighting intermittent problems with krb5kdc crashing on them in all of
> >my environments and I've opened a ticket with Redhat on that.  What I
> >can't figure out though is why the clients will not fail over to the
> >second functioning server in the domain
> >
> >My sssd.conf files are all pretty generic from the install with minimal
> >modification to add a couple settings.
> >
> >[domain/mhbe.lin]
> >
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = mhbe.lin
> >id_provider = ipa
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = mdhixproddb01.mhbe.lin
> >chpass_provider = ipa
> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services =
> >nss, sudo, pam, ssh config_file_version = 2
> >
> >domains = mhbe.lin
> >[nss]
> >default_shell = /bin/bash
> >homedir_substring = /home
> >debug_level = 7
> >[pam]
> >
> >[sudo]
> >
> >[autofs]
> >
> >[ssh]
> >
> >[pac]
> >
> >[ifp]
> >
> >I thought the _srv_  would force it to use dns and both servers are
> >round robined when digging the _kerberos records from DNS.  So I don't
> >understand why it's not working
> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using
> /etc/krb5.conf for hints where to find KDCs.
> 
> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = '
> for specific realm would cause Kerberos clients to do DNS discovery using
> SRV records.
> 

Here are the contents of my krb conf with everything set to lookup and it doesn't appear to be working.

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = MHBE.LIN
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0


[realms]
  MHBE.LIN = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }


[domain_realm]
  .mhbe.lin = MHBE.LIN
  mhbe.lin = MHBE.LIN



> If multiple 'kdc = ...' values are specified in the realm definition, Kerberos
> clients will fall over to the next one in the list in case of a failure.
> 
> When ipa-client-install is run, we configure krb5.conf without explicit KDCs if
> DNS discovery of Kerberos was successful which should take care of SRV
> record-based discovery of KDCs.
> --
> / Alexander Bokovoy

More information about the Freeipa-users mailing list