[Freeipa-users] how to force switch to another kdc

Karl Forner karl.forner at gmail.com
Tue Jan 5 18:22:57 UTC 2016 

update:

modifying the /etc/krb5.conf, and replacing the name of my freeipa master
by the replica fixes the problem.
So that proves that the kdc is not picked up by discovery.

The problem is that my ubuntu box was enrolled using the ipa-client-install
script, and so should be properly configured.

Did I miss any critical option ?
What should the /etc/krb5.conf be like ?

Thanks.




On Tue, Jan 5, 2016 at 7:06 PM, Karl Forner <karl.forner at gmail.com> wrote:

> Another piece of information:
>
> the linux boxes are running ubuntu too, with the same configuration.
> I have configured 2 dns servers, the first for my main freeipa server
> (which is down), and rhe second for the replica.
> After boot, the linux box can resolve addresses just fine, using the
> secondary dns. But the box does not pick the kdc from the replica.
>
> It seems to only use the cache, since when I do a klist, I have a ticked
> expiring at 01/01/1970:
> Valid starting       Expires              Service principal
> 01/01/1970 01:00:00  01/01/1970 01:00:00
>
> If I do a kinit:
> kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting
> initial credentials
>
> And once again, from a box just rebooted.
>
> When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and
> admin_server set for my domain.
> From what I had understood, I thought they should be ignored, and that the
> auto discovery should still happen.
> Is that so ?
>
> Thanks.
>
>
>
> On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner <karl.forner at gmail.com>
> wrote:
>
>> Hello,
>>
>> My freeipa master has crashed, and I have a replica running.
>> The problem is that I can not use anymore the webapps on my main server
>> which use a kerberos authentication since my server will not switch to the
>> kdc on my replica.
>>
>> I remember that someone replied me on this list about that problem, but
>> I'd like to konw if there's something I can do besides rebooting my main
>> server ?
>>
>> freeipa 4.3
>>
>> sssd 1.12.5-1 running on ubuntu 14.04
>>
>> Thanks.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160105/b4654129/attachment.htm>

More information about the Freeipa-users mailing list