<div dir="ltr"><div><div><div><div><div><div><div><div><div><div>Hello !<br><br></div>We are using freeipa version 3 and we are encountering a problem in our environment.<br></div>We have one master kdc and two replicas.<br><br></div>On the different linux servers on our environment, we have the following krb5.conf (I modified the hostname for NDA) :<br><br>###<br>#File modified by ipa-client-install<br><br>includedir /var/lib/sss/pubconf/krb5.include.d/<br><br>[libdefaults]<br> default_realm = <MYREALM><br> dns_lookup_realm = false<br> dns_lookup_kdc = false<br> rdns = false<br> ticket_lifetime = 24h<br> forwardable = yes<br><br>[realms]<br></div><div> <MYREALM> = {<br></div><div> kdc = host1.<mydomain>:88<br> kdc = host2.<mydomain>:88<br> kdc = host3.<mydomain>:88<br> master_kdc = host2.<mydomain>:88<br> admin_server = host2.<mydomain>:749<br> default_domain <mydomain><br> pkinit_anchors = FILE:/etc/ipa/ca.crt<br> }<br><br>[domain_realm]<br> .<mydomain> = <MYREALM><br> <mydomain> = <MYREALM><br> .<myrealm> = <MYREALM><br> <myrealm> = <MYREALM><br>###<br><br></div>host1 is a physical machine<br></div>host2 and host3 are VM.<br><br></div>So I have some questions :<br></div>Q1 - Does it make sense to put the line master_kdc and admin_server to the host2, which is a VM instead of the host1 which is a physical machine ? <br><br></div>Q2 - When I try to connect to the UI of host1, I can enter my login/password and it works. When I try to connect to the UI of host2, I have an error message saying my password is incorrect. When I try to connect to the UI of host3, it works. Does it mean host1 and host3 are synchronized but host2 is not ?<br><br></div><div>Q3. Does the two last lines make sense ? I mean what is the exact usage of the paragraph [domain_realm] ? Does it mean : if I try to connect to a server with the domain listed in this list, then I will try to contact the realm associated ?<br><br></div><div>Thank you in advance for your answers.<br></div><div><br></div>Best regards.<br><br></div>Bahan<br></div>