On 24.9.2015 15:29, Alexander Bokovoy wrote: > On Thu, 24 Sep 2015, Andy Thompson wrote: >>> -----Original Message----- >>> From: Alexander Bokovoy [mailto:[email protected]] >>> Sent: Thursday, September 24, 2015 1:17 AM >>> To: Andy Thompson <[email protected]> >>> Cc: [email protected] >>> Subject: Re: [Freeipa-users] IPA server failover >>> >>> On Wed, 23 Sep 2015, Andy Thompson wrote: >>> >I've got all of my environments setup with two IPA servers. I'm >>> >fighting intermittent problems with krb5kdc crashing on them in all of >>> >my environments and I've opened a ticket with Redhat on that. What I >>> >can't figure out though is why the clients will not fail over to the >>> >second functioning server in the domain >>> > >>> >My sssd.conf files are all pretty generic from the install with minimal >>> >modification to add a couple settings. >>> > >>> >[domain/mhbe.lin] >>> > >>> >cache_credentials = True >>> >krb5_store_password_if_offline = True >>> >ipa_domain = mhbe.lin >>> >id_provider = ipa >>> >auth_provider = ipa >>> >access_provider = ipa >>> >ipa_hostname = mdhixproddb01.mhbe.lin >>> >chpass_provider = ipa >>> >ipa_server = _srv_, mdhixprodipa01.mhbe.lin ldap_tls_cacert = >>> >/etc/ipa/ca.crt [sssd] default_domain_suffix = mhbe.local services = >>> >nss, sudo, pam, ssh config_file_version = 2 >>> > >>> >domains = mhbe.lin >>> >[nss] >>> >default_shell = /bin/bash >>> >homedir_substring = /home >>> >debug_level = 7 >>> >[pam] >>> > >>> >[sudo] >>> > >>> >[autofs] >>> > >>> >[ssh] >>> > >>> >[pac] >>> > >>> >[ifp] >>> > >>> >I thought the _srv_ would force it to use dns and both servers are >>> >round robined when digging the _kerberos records from DNS. So I don't >>> >understand why it's not working >>> ipa_server is for SSSD tasks using LDAP server. Kerberos libraries are using >>> /etc/krb5.conf for hints where to find KDCs. >>> >>> A combination of 'dns_lookup_kdc = true' in [libdefaults] and missing 'kdc >>> = ' >>> for specific realm would cause Kerberos clients to do DNS discovery using >>> SRV records. >>> >> >> Here are the contents of my krb conf with everything set to lookup and it >> doesn't appear to be working. >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = MHBE.LIN >> dns_lookup_realm = true >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> udp_preference_limit = 0 >> >> >> [realms] >> MHBE.LIN = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> >> } >> >> >> [domain_realm] >> .mhbe.lin = MHBE.LIN >> mhbe.lin = MHBE.LIN > I bet you have SSSD supplying you KDC info in > /var/lib/sss/pubconf/kdcinfo.MHBE.LIN via > /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > > You can add 'krb5_use_kdcinfo = false' to sssd.conf (domain section), > see details in sssd-krb5(5).
Also, I would recommend you to check SRV records in DNS: $ dig _kerberos._udp.mhbe.lin SRV It should list both servers (with non-zero priority). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
