[Freeipa-users] IPA server failover

Alexander Bokovoy abokovoy at redhat.com
Thu Sep 24 13:29:09 UTC 2015 

On Thu, 24 Sep 2015, Andy Thompson wrote:
>> -----Original Message-----
>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>> Sent: Thursday, September 24, 2015 1:17 AM
>> To: Andy Thompson <Andy.Thompson at e-tcc.com>
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] IPA server failover
>>
>> On Wed, 23 Sep 2015, Andy Thompson wrote:
>> >I've got all of my environments setup with two IPA servers.  I'm
>> >fighting intermittent problems with krb5kdc crashing on them in all of
>> >my environments and I've opened a ticket with Redhat on that.  What I
>> >can't figure out though is why the clients will not fail over to the
>> >second functioning server in the domain
>> >
>> >My sssd.conf files are all pretty generic from the install with minimal
>> >modification to add a couple settings.
>> >
>> >[domain/mhbe.lin]
>> >
>> >cache_credentials = True
>> >krb5_store_password_if_offline = True
>> >ipa_domain = mhbe.lin
>> >id_provider = ipa
>> >auth_provider = ipa
>> >access_provider = ipa
>> >ipa_hostname = mdhixproddb01.mhbe.lin
>> >chpass_provider = ipa
>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services =
>> >nss, sudo, pam, ssh config_file_version = 2
>> >
>> >domains = mhbe.lin
>> >[nss]
>> >default_shell = /bin/bash
>> >homedir_substring = /home
>> >debug_level = 7
>> >[pam]
>> >
>> >[sudo]
>> >
>> >[autofs]
>> >
>> >[ssh]
>> >
>> >[pac]
>> >
>> >[ifp]
>> >
>> >I thought the _srv_  would force it to use dns and both servers are
>> >round robined when digging the _kerberos records from DNS.  So I don't
>> >understand why it's not working
>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using
>> /etc/krb5.conf for hints where to find KDCs.
>>
>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = '
>> for specific realm would cause Kerberos clients to do DNS discovery using
>> SRV records.
>>
>
>Here are the contents of my krb conf with everything set to lookup and it doesn't appear to be working.
>
>includedir /var/lib/sss/pubconf/krb5.include.d/
>
>[libdefaults]
>  default_realm = MHBE.LIN
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = yes
>  udp_preference_limit = 0
>
>
>[realms]
>  MHBE.LIN = {
>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>
>  }
>
>
>[domain_realm]
>  .mhbe.lin = MHBE.LIN
>  mhbe.lin = MHBE.LIN
I bet you have SSSD supplying you KDC info in
/var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so

You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
see details in sssd-krb5(5).
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list