On 09/07/2012 04:50 PM, Rob Crittenden wrote:
> Michael Mercier wrote:
>>
>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
>>
>>> On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
> On 09/06/2012 10:40 AM, Michael Mercier wrote:
>> Hello,
>>
>> I have experienced some odd connectivity issues using MMR with
>> FreeIPA (all systems CentOS 6.3). I have 2 ipa servers
>> (ipaserver / ipaserver2) setup using MMR.
>>
>> [root@ipaserver ~]#ipa-replica-manage list
>> ipaserver.mpls.local: master
>> ipaserver2.mpls.local: master
>> [root@ipaserver ~]# rpm -qa|grep ipa
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>>
>>
>> [root@ipaserver2 ~]#ipa-replica-manage list
>> ipaserver.mpls.local: master
>> ipaserver2.mpls.local: master
>> [root@ipaserver2 ~]# rpm -qa|grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>> libipa_hbac-1.8.0-32.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>
>>
>> [mike@ipaclient ~]$ rpm -qa|grep ipa
>> ipa-admintools-2.2.0-16.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> libipa_hbac-1.8.0-32.el6.x86_64
>>
>>
>> I have a webserver (zenoss) using kerberos authentication.
>>
>> [root@zenoss ~]# rpm -qa|grep ipa
>> libipa_hbac-1.8.0-32.el6.x86_64
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>>
>> SSLRequireSSL
>> AuthType Kerberos
>> AuthName "Kerberos Login"
>>
>> KrbMethodK5Passwd Off
>> KrbAuthRealms MPLS.LOCAL
>> KrbSaveCredentials on
>> KrbServiceName HTTP
>> Krb5KeyTab /etc/http/conf.d/http.keytab
>>
>> AuthLDAPUrl "ldap://ipaserver.mpls.local
>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
>> RequestHeader set X_REMOTE_USER %{remoteUser}e
>> require ldap-group
>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
>>
>>
>>
>> With both ipaserver and ipaserver2 'up', if I connect to
>> https://zenoss.mpls.local from ipaclient using firefox, I am
>> successfully connected. If on ipaserver I do a 'ifdown eth0' and
>> attempt another connection, it fails. I have also noticed the
>> following:
>>
>> 1. I am unable to use the ipaserver2 management interface when
>> ipaserver is unavailable.
>> 2. It takes a longer period of time to do a kinit
>>
>> If the I then perform:
>> [root@ipaserver ~]#ifup eth0
>>
>> [root@ipaserver2 ~]#ifdown eth0
>>
>> [mike@ipaclient ~]$kinit
>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
>> getting initial credentials
>>
>> [root@ipaserver2 ~]#ifup eth0
>>
>> [mike@ipaclient ~]$ kinit
>> Password for mike@MPLS.LOCAL:
>> [mike@ipaclient ~]$
>>
>> [root@ipaserver2 ~]#ifdown eth0
>>
>> .. wait number of minutes
>>
>> ipaclient screen locks - type password - after a short delay (~7
>> seconds) screen unlock compeletes
>>
>> [mike@ipaclient ~]$kinit
>> Password for mike@MPLS.LOCAL:
>> [mike@ipaclient ~]$
>>
>> Any ideas?
>>
>> Thanks,
>> Mike
> This seems to be some DNS problem.
> You client does not see the second replica and might have some name
> resolution timeouts.
>
> Please check your dns setup and krb5.conf on the client.
>
> To help more we need more details about you client configuration
> DNS and
> kerberos.
Hi,
Additional information...
[root@zenoss ~]#more /etc/resolv.conf
search mpls.local
domain mpls.local
nameserver 172.16.112.5
nameserver 172.16.112.8
[root@zenoss ~]# more /etc/krb5.conf
#File modified by ipa-client-install
[libdefaults]
default_realm = MPLS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MPLS.LOCAL