[Freeipa-users] Re: Not possible to find KDC with Autodiscovery

Wed, 16 Feb 2022 07:52:08 -0800 

Am Wed, Feb 16, 2022 at 03:09:00PM -0000 schrieb David Galarreta via 
FreeIPA-users:
> Hello!
> we get the next error when we try to create a kerberos ticket:
> kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial 
> credentials
> 
> /etc/krb5.conf:
> [libdefaults]
>   default_realm = TEST.INTERN
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   dns_canonicalize_hostname = false
>   ticket_lifetime = 24h
>   forwardable = true
>   udp_preference_limit = 0
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> 
> [realms]
>  TEST.INTERN = {
>     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>     pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>   }
> [domain_realm]
>   .domain.net = TEST.INTERN
>   domain.net = TEST.INTERN
>   client1.domain.net = TEST.INTERN
> 
> The DNS Record from FreeIPA for Autodiscover are working. if I add kdc = 
> ipaserver.domain.net  > I get the kerberos Ticket. But we want to use 
> autodiscovery for failover. So we do not want to add the sever address on 
> every client.

Hi,

this is most probably related to SSSD running on the same host. SSSD
provides a plugin for libkrb5 to make sure a single KDC is used as long
as possible. This is to avoid issues in environments like AD or IPA
where some data must be replicated from one domain controller to the
other. If

    SSSD_KRB5_LOCATOR_DISABLE=1 kinit ....

works as expected then the locator plugin might be using some stale
data. You can check this in /var/lib/sss/pubconf/kdcinfo.TEST.INTERN
which should contain multiple IP addresses and DNS names of KDCs from
TEST.INTERN.

bye,
Sumit

> 
> Do you have some Idea? Thanks
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to