On 2012-09-07, at 12:14 PM, Dmitri Pal wrote: > On 09/06/2012 10:40 AM, Michael Mercier wrote: >> Hello, >> >> I have experienced some odd connectivity issues using MMR with FreeIPA (all >> systems CentOS 6.3). I have 2 ipa servers (ipaserver / ipaserver2) setup >> using MMR. >> >> [root@ipaserver ~]#ipa-replica-manage list >> ipaserver.mpls.local: master >> ipaserver2.mpls.local: master >> [root@ipaserver ~]# rpm -qa|grep ipa >> libipa_hbac-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> >> >> [root@ipaserver2 ~]#ipa-replica-manage list >> ipaserver.mpls.local: master >> ipaserver2.mpls.local: master >> [root@ipaserver2 ~]# rpm -qa|grep ipa >> ipa-client-2.2.0-16.el6.x86_64 >> ipa-server-2.2.0-16.el6.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> libipa_hbac-1.8.0-32.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-admintools-2.2.0-16.el6.x86_64 >> ipa-server-selinux-2.2.0-16.el6.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> >> >> [mike@ipaclient ~]$ rpm -qa|grep ipa >> ipa-admintools-2.2.0-16.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-python-2.2.0-16.el6.x86_64 >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> libipa_hbac-1.8.0-32.el6.x86_64 >> >> >> I have a webserver (zenoss) using kerberos authentication. >> >> [root@zenoss ~]# rpm -qa|grep ipa >> libipa_hbac-1.8.0-32.el6.x86_64 >> libipa_hbac-python-1.8.0-32.el6.x86_64 >> ipa-python-2.2.0-16.el6.x86_64 >> ipa-client-2.2.0-16.el6.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-admintools-2.2.0-16.el6.x86_64 >> >> <Location /> >> SSLRequireSSL >> AuthType Kerberos >> AuthName "Kerberos Login" >> >> KrbMethodK5Passwd Off >> KrbAuthRealms MPLS.LOCAL >> KrbSaveCredentials on >> KrbServiceName HTTP >> Krb5KeyTab /etc/http/conf.d/http.keytab >> >> AuthLDAPUrl "ldap://ipaserver.mpls.local >> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName" >> RequestHeader set X_REMOTE_USER %{remoteUser}e >> require ldap-group cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local >> </Location> >> >> >> With both ipaserver and ipaserver2 'up', if I connect to >> https://zenoss.mpls.local from ipaclient using firefox, I am successfully >> connected. If on ipaserver I do a 'ifdown eth0' and attempt another >> connection, it fails. I have also noticed the following: >> >> 1. I am unable to use the ipaserver2 management interface when ipaserver is >> unavailable. >> 2. It takes a longer period of time to do a kinit >> >> If the I then perform: >> [root@ipaserver ~]#ifup eth0 >> >> [root@ipaserver2 ~]#ifdown eth0 >> >> [mike@ipaclient ~]$kinit >> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial >> credentials >> >> [root@ipaserver2 ~]#ifup eth0 >> >> [mike@ipaclient ~]$ kinit >> Password for mike@MPLS.LOCAL: >> [mike@ipaclient ~]$ >> >> [root@ipaserver2 ~]#ifdown eth0 >> >> .. wait number of minutes >> >> ipaclient screen locks - type password - after a short delay (~7 seconds) >> screen unlock compeletes >> >> [mike@ipaclient ~]$kinit >> Password for mike@MPLS.LOCAL: >> [mike@ipaclient ~]$ >> >> Any ideas? >> >> Thanks, >> Mike > > This seems to be some DNS problem. > You client does not see the second replica and might have some name > resolution timeouts. > > Please check your dns setup and krb5.conf on the client. > > To help more we need more details about you client configuration DNS and > kerberos.
Hi, Additional information... [root@zenoss ~]#more /etc/resolv.conf search mpls.local domain mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@zenoss ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# more /etc/resolv.conf # Generated by NetworkManager search mpls.local nameserver 172.16.112.5 nameserver 172.16.112.8 [root@ipaclient ~]# more /etc/krb5.conf #File modified by ipa-client-install [libdefaults] default_realm = MPLS.LOCAL dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] MPLS.LOCAL = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mpls.local = MPLS.LOCAL mpls.local = MPLS.LOCAL [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.5 Address: 172.16.112.5#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaserver ~]#ifdown eth0 [root@ipaclient ~]# nslookup ipaserver Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver.mpls.local Address: 172.16.112.5 [root@ipaclient ~]# nslookup ipaserver2 Server: 172.16.112.8 Address: 172.16.112.8#53 Name: ipaserver2.mpls.local Address: 172.16.112.8 Copy/paste from the DNS page on ipaserver/ipaserver2 @ NS ipaserver.mpls.local. NS ipaserver2.mpls.local. _kerberos TXT MPLS.LOCAL _kerberos-master._tcp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos-master._udp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos._tcp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kerberos._udp SRV 0 100 88 ipaserver SRV 0 100 88 ipaserver2 _kpasswd._tcp SRV 0 100 464 ipaserver SRV 0 100 464 ipaserver2 _kpasswd._udp SRV 0 100 464 ipaserver SRV 0 100 464 ipaserver2 _ldap._tcp SRV 0 100 389 ipaserver SRV 0 100 389 ipaserver2 _ntp._udp SRV 0 100 123 ipaserver SRV 0 100 123 ipaserver2 ipaclient A 172.16.112.9 ipaclient2 A 172.16.112.145 ipaserver A 172.16.112.5 ipaserver2 A 172.16.112.8 zenoss A 172.16.112.6 Thanks, Mike _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users