Wow thank you Alexander for this information ! Best regards.
Gwenael Le Barzic Le 11 août 2015 08:45, "Alexander Bokovoy" <aboko...@redhat.com> a écrit : > On Mon, 10 Aug 2015, bahan w wrote: > >> Hello. >> >> I don't know if you receive my previous mail, but thank you for your >> answer. >> >> I have two additionnal question then : >> - Concerning the master_kdc line, is it better to put here the physical >> machine or even to remove it if it is optional ? >> > I don't think it ever matters as it only used for fallback reasons. > > - Do you know how I can check which one of these three servers is currently >> used per server with this krb5.conf ? I need to check how I can >> resynchronize the last server. >> > set KRB5_TRACE=/dev/stderr in the execution environment and all > Kerberos code will start explaining what it does. > > For example, > KRB5_TRACE=/dev/stderr kinit > will show which server kinit will contact. > > >> Best regards. >> >> Bahan >> >> On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy <aboko...@redhat.com> >> wrote: >> >> On Fri, 07 Aug 2015, bahan w wrote: >>> >>> Hello ! >>>> >>>> We are using freeipa version 3 and we are encountering a problem in our >>>> environment. >>>> We have one master kdc and two replicas. >>>> >>>> On the different linux servers on our environment, we have the following >>>> krb5.conf (I modified the hostname for NDA) : >>>> >>>> ### >>>> #File modified by ipa-client-install >>>> >>>> includedir /var/lib/sss/pubconf/krb5.include.d/ >>>> >>>> [libdefaults] >>>> default_realm = <MYREALM> >>>> dns_lookup_realm = false >>>> dns_lookup_kdc = false >>>> rdns = false >>>> ticket_lifetime = 24h >>>> forwardable = yes >>>> >>>> [realms] >>>> <MYREALM> = { >>>> kdc = host1.<mydomain>:88 >>>> kdc = host2.<mydomain>:88 >>>> kdc = host3.<mydomain>:88 >>>> master_kdc = host2.<mydomain>:88 >>>> admin_server = host2.<mydomain>:749 >>>> default_domain <mydomain> >>>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>> } >>>> >>>> [domain_realm] >>>> .<mydomain> = <MYREALM> >>>> <mydomain> = <MYREALM> >>>> .<myrealm> = <MYREALM> >>>> <myrealm> = <MYREALM> >>>> ### >>>> >>>> host1 is a physical machine >>>> host2 and host3 are VM. >>>> >>>> So I have some questions : >>>> Q1 - Does it make sense to put the line master_kdc and admin_server to >>>> the >>>> host2, which is a VM instead of the host1 which is a physical machine ? >>>> >>>> According to manual page of 'krb5.conf', >>> ------- >>> master_kdc: >>> Identifies the master KDC(s). Currently, this tag is used in only >>> one case: If an attempt to get credentials fails because of an invalid >>> password, the client software will attempt to contact the master KDC, in >>> case the user's password has just been changed, and the updated database >>> has not been propagated to the slave servers yet. >>> ------- >>> >>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day >>> actions in IPA. >>> >>> >>> Q2 - When I try to connect to the UI of host1, I can enter my >>> >>>> login/password and it works. When I try to connect to the UI of host2, I >>>> have an error message saying my password is incorrect. When I try to >>>> connect to the UI of host3, it works. Does it mean host1 and host3 are >>>> synchronized but host2 is not ? >>>> >>>> Most likely, yes. >>> >>> >>> Q3. Does the two last lines make sense ? I mean what is the exact usage >>> of >>> >>>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a >>>> server with the domain listed in this list, then I will try to contact >>>> the >>>> realm associated ? >>>> >>>> Since you disabled DNS discovery of realm based on the DNS domain, >>> Kerberos library will perform some logic to find out which realm >>> corresponds to the domain. domain_realm section helps here. >>> >>> krb5.conf manual page has clear explanation how the section is designed >>> to work. >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project