[Freeipa-users] IPA server failover

Fri Sep 25 08:27:31 UTC 2015

On 24.9.2015 16:16, Andy Thompson wrote:
> 
> 
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Petr Spacek
>> Sent: Thursday, September 24, 2015 9:50 AM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] IPA server failover
>>
>> On 24.9.2015 15:29, Alexander Bokovoy wrote:
>>> On Thu, 24 Sep 2015, Andy Thompson wrote:
>>>>> -----Original Message-----
>>>>> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
>>>>> Sent: Thursday, September 24, 2015 1:17 AM
>>>>> To: Andy Thompson <Andy.Thompson at e-tcc.com>
>>>>> Cc: freeipa-users at redhat.com
>>>>> Subject: Re: [Freeipa-users] IPA server failover
>>>>>
>>>>> On Wed, 23 Sep 2015, Andy Thompson wrote:
>>>>>> I've got all of my environments setup with two IPA servers.  I'm
>>>>>> fighting intermittent problems with krb5kdc crashing on them in all
>>>>>> of my environments and I've opened a ticket with Redhat on that.
>>>>>> What I can't figure out though is why the clients will not fail
>>>>>> over to the second functioning server in the domain
>>>>>>
>>>>>> My sssd.conf files are all pretty generic from the install with
>>>>>> minimal modification to add a couple settings.
>>>>>>
>>>>>> [domain/mhbe.lin]
>>>>>>
>>>>>> cache_credentials = True
>>>>>> krb5_store_password_if_offline = True ipa_domain = mhbe.lin
>>>>>> id_provider = ipa auth_provider = ipa access_provider = ipa
>>>>>> ipa_hostname = mdhixproddb01.mhbe.lin chpass_provider = ipa
>>>>>> ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert =
>>>>>> /etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services
>>>>>> = nss, sudo, pam, ssh config_file_version = 2
>>>>>>
>>>>>> domains = mhbe.lin
>>>>>> [nss]
>>>>>> default_shell = /bin/bash
>>>>>> homedir_substring = /home
>>>>>> debug_level = 7
>>>>>> [pam]
>>>>>>
>>>>>> [sudo]
>>>>>>
>>>>>> [autofs]
>>>>>>
>>>>>> [ssh]
>>>>>>
>>>>>> [pac]
>>>>>>
>>>>>> [ifp]
>>>>>>
>>>>>> I thought the _srv_  would force it to use dns and both servers are
>>>>>> round robined when digging the _kerberos records from DNS.  So I
>>>>>> don't understand why it's not working
>>>>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries
>>>>> are using /etc/krb5.conf for hints where to find KDCs.
>>>>>
>>>>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing
>> 'kdc = '
>>>>> for specific realm would cause Kerberos clients to do DNS discovery
>>>>> using SRV records.
>>>>>
>>>>
>>>> Here are the contents of my krb conf with everything set to lookup
>>>> and it doesn't appear to be working.
>>>>
>>>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>>>
>>>> [libdefaults]
>>>>  default_realm = MHBE.LIN
>>>>  dns_lookup_realm = true
>>>>  dns_lookup_kdc = true
>>>>  rdns = false
>>>>  ticket_lifetime = 24h
>>>>  forwardable = yes
>>>>  udp_preference_limit = 0
>>>>
>>>>
>>>> [realms]
>>>>  MHBE.LIN = {
>>>>    pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>>
>>>>  }
>>>>
>>>>
>>>> [domain_realm]
>>>>  .mhbe.lin = MHBE.LIN
>>>>  mhbe.lin = MHBE.LIN
>>> I bet you have SSSD supplying you KDC info in
>>> /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via
>>> /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
>>>
>>> You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section),
>>> see details in sssd-krb5(5).
>>
> 
> I will look into adding this setting.  Why is this not the default configuration by the client install?
> 
>> Also, I would recommend you to check SRV records in DNS:
>>
>> $ dig _kerberos._udp.mhbe.lin SRV
>>
>> It should list both servers (with non-zero priority).
>>
> 
> Ok both servers are in there but they have a zero priority.  Those are the default records added by the install.

Never mind, I got confused. Zero priority should not be an issue, because it
is the same as with MX records - smaller number means higher priority.

I.e. the DNS configuration sounds correct, I would continue with SSSD or krb5
libs debugging.

I hope this helps.

-- 
Petr^2 Spacek