Hello. I don't know if you receive my previous mail, but thank you for your answer.
I have two additionnal question then : - Concerning the master_kdc line, is it better to put here the physical machine or even to remove it if it is optional ? - Do you know how I can check which one of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server. Best regards. Bahan On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 07 Aug 2015, bahan w wrote: > >> Hello ! >> >> We are using freeipa version 3 and we are encountering a problem in our >> environment. >> We have one master kdc and two replicas. >> >> On the different linux servers on our environment, we have the following >> krb5.conf (I modified the hostname for NDA) : >> >> ### >> #File modified by ipa-client-install >> >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [libdefaults] >> default_realm = <MYREALM> >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> <MYREALM> = { >> kdc = host1.<mydomain>:88 >> kdc = host2.<mydomain>:88 >> kdc = host3.<mydomain>:88 >> master_kdc = host2.<mydomain>:88 >> admin_server = host2.<mydomain>:749 >> default_domain <mydomain> >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .<mydomain> = <MYREALM> >> <mydomain> = <MYREALM> >> .<myrealm> = <MYREALM> >> <myrealm> = <MYREALM> >> ### >> >> host1 is a physical machine >> host2 and host3 are VM. >> >> So I have some questions : >> Q1 - Does it make sense to put the line master_kdc and admin_server to the >> host2, which is a VM instead of the host1 which is a physical machine ? >> > According to manual page of 'krb5.conf', > ------- > master_kdc: > Identifies the master KDC(s). Currently, this tag is used in only > one case: If an attempt to get credentials fails because of an invalid > password, the client software will attempt to contact the master KDC, in > case the user's password has just been changed, and the updated database > has not been propagated to the slave servers yet. > ------- > > 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day > actions in IPA. > > > Q2 - When I try to connect to the UI of host1, I can enter my >> login/password and it works. When I try to connect to the UI of host2, I >> have an error message saying my password is incorrect. When I try to >> connect to the UI of host3, it works. Does it mean host1 and host3 are >> synchronized but host2 is not ? >> > Most likely, yes. > > > Q3. Does the two last lines make sense ? I mean what is the exact usage of >> the paragraph [domain_realm] ? Does it mean : if I try to connect to a >> server with the domain listed in this list, then I will try to contact the >> realm associated ? >> > Since you disabled DNS discovery of realm based on the DNS domain, > Kerberos library will perform some logic to find out which realm > corresponds to the domain. domain_realm section helps here. > > krb5.conf manual page has clear explanation how the section is designed > to work. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project