[Freeipa-users] IPA server failover
Petr Spacek
pspacek at redhat.com
Thu Sep 24 13:50:03 UTC 2015
On 24.9.2015 15:29, Alexander Bokovoy wrote:
> On Thu, 24 Sep 2015, Andy Thompson wrote:
>>> -----Original Message-----
>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>> Sent: Thursday, September 24, 2015 1:17 AM
>>> To: Andy Thompson <Andy.Thompson at e-tcc.com>
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] IPA server failover
>>>
>>> On Wed, 23 Sep 2015, Andy Thompson wrote:
>>> >I've got all of my environments setup with two IPA servers. I'm
>>> >fighting intermittent problems with krb5kdc crashing on them in all of
>>> >my environments and I've opened a ticket with Redhat on that. What I
>>> >can't figure out though is why the clients will not fail over to the
>>> >second functioning server in the domain
>>> >
>>> >My sssd.conf files are all pretty generic from the install with minimal
>>> >modification to add a couple settings.
>>> >
>>> >[domain/mhbe.lin]
>>> >
>>> >cache_credentials = True
>>> >krb5_store_password_if_offline = True
>>> >ipa_domain = mhbe.lin
>>> >id_provider = ipa
>>> >auth_provider = ipa
>>> >access_provider = ipa
>>> >ipa_hostname = mdhixproddb01.mhbe.lin
>>> >chpass_provider = ipa
>>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
>>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services =
>>> >nss, sudo, pam, ssh config_file_version = 2
>>> >
>>> >domains = mhbe.lin
>>> >[nss]
>>> >default_shell = /bin/bash
>>> >homedir_substring = /home
>>> >debug_level = 7
>>> >[pam]
>>> >
>>> >[sudo]
>>> >
>>> >[autofs]
>>> >
>>> >[ssh]
>>> >
>>> >[pac]
>>> >
>>> >[ifp]
>>> >
>>> >I thought the _srv_ would force it to use dns and both servers are
>>> >round robined when digging the _kerberos records from DNS. So I don't
>>> >understand why it's not working
>>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using
>>> /etc/krb5.conf for hints where to find KDCs.
>>>
>>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc = '
>>> for specific realm would cause Kerberos clients to do DNS discovery using
>>> SRV records.
>>>
>>
>> Here are the contents of my krb conf with everything set to lookup and it
>> doesn't appear to be working.
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = MHBE.LIN
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>> udp_preference_limit = 0
>>
>>
>> [realms]
>> MHBE.LIN = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>>
>> }
>>
>>
>> [domain_realm]
>> .mhbe.lin = MHBE.LIN
>> mhbe.lin = MHBE.LIN
> I bet you have SSSD supplying you KDC info in
> /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
> /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
>
> You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
> see details in sssd-krb5(5).
Also, I would recommend you to check SRV records in DNS:
$ dig _kerberos._udp.mhbe.lin SRV
It should list both servers (with non-zero priority).
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list