subject:"\[Freeipa\-users\] Concerning the krb5.conf"

[Freeipa-users] Concerning the krb5.conf

2015-08-07 Thread bahan w

Hello !

We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.

On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :

###
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
 default_realm = 
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
   = {
kdc = host1.:88
kdc = host2.:88
kdc = host3.:88
master_kdc = host2.:88
admin_server = host2.:749
default_domain 
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  . = 
   = 
  . = 
   = 
###

host1 is a physical machine
host2 and host3 are VM.

So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?

Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?

Q3. Does the two last lines make sense ? I mean what is the exact usage of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?

Thank you in advance for your answers.

Best regards.

Bahan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-07 Thread Alexander Bokovoy


On Fri, 07 Aug 2015, bahan w wrote:

Hello !

We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.

On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :

###
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = 
dns_lookup_realm = false
dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  = {
   kdc = host1.:88
   kdc = host2.:88
   kdc = host3.:88
   master_kdc = host2.:88
   admin_server = host2.:749
   default_domain 
   pkinit_anchors = FILE:/etc/ipa/ca.crt
 }

[domain_realm]
 . = 
  = 
 . = 
  = 
###

host1 is a physical machine
host2 and host3 are VM.

So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?

According to manual page of 'krb5.conf',
---
master_kdc:
Identifies  the  master  KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC, in
case the user's password has just been changed, and the updated database
has not been propagated to the slave servers yet.
---

'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
actions in IPA.



Q2 - When I try to connect to the UI of host1, I can enter my
login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?

Most likely, yes.



Q3. Does the two last lines make sense ? I mean what is the exact usage of
the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?

Since you disabled DNS discovery of realm based on the DNS domain,
Kerberos library will perform some logic to find out which realm
corresponds to the domain. domain_realm section helps here.

krb5.conf manual page has clear explanation how the section is designed
to work.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-10 Thread bahan w

Hello.

I don't know if you receive my previous mail, but thank you for your answer.

I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?
- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.

Best regards.

Bahan

On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy 
wrote:

> On Fri, 07 Aug 2015, bahan w wrote:
>
>> Hello !
>>
>> We are using freeipa version 3 and we are encountering a problem in our
>> environment.
>> We have one master kdc and two replicas.
>>
>> On the different linux servers on our environment, we have the following
>> krb5.conf (I modified the hostname for NDA) :
>>
>> ###
>> #File modified by ipa-client-install
>>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>>
>> [libdefaults]
>> default_realm = 
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>>  rdns = false
>>  ticket_lifetime = 24h
>>  forwardable = yes
>>
>> [realms]
>>   = {
>>kdc = host1.:88
>>kdc = host2.:88
>>kdc = host3.:88
>>master_kdc = host2.:88
>>admin_server = host2.:749
>>default_domain 
>>pkinit_anchors = FILE:/etc/ipa/ca.crt
>>  }
>>
>> [domain_realm]
>>  . = 
>>   = 
>>  . = 
>>   = 
>> ###
>>
>> host1 is a physical machine
>> host2 and host3 are VM.
>>
>> So I have some questions :
>> Q1 - Does it make sense to put the line master_kdc and admin_server to the
>> host2, which is a VM instead of the host1 which is a physical machine ?
>>
> According to manual page of 'krb5.conf',
> ---
> master_kdc:
> Identifies  the  master  KDC(s). Currently, this tag is used in only
> one case: If an attempt to get credentials fails because of an invalid
> password, the client software will attempt to contact the master KDC, in
> case the user's password has just been changed, and the updated database
> has not been propagated to the slave servers yet.
> ---
>
> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
> actions in IPA.
>
>
> Q2 - When I try to connect to the UI of host1, I can enter my
>> login/password and it works. When I try to connect to the UI of host2, I
>> have an error message saying my password is incorrect. When I try to
>> connect to the UI of host3, it works. Does it mean host1 and host3 are
>> synchronized but host2 is not ?
>>
> Most likely, yes.
>
>
> Q3. Does the two last lines make sense ? I mean what is the exact usage of
>> the paragraph [domain_realm] ? Does it mean : if I try to connect to a
>> server with the domain listed in this list, then I will try to contact the
>> realm associated ?
>>
> Since you disabled DNS discovery of realm based on the DNS domain,
> Kerberos library will perform some logic to find out which realm
> corresponds to the domain. domain_realm section helps here.
>
> krb5.conf manual page has clear explanation how the section is designed
> to work.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-10 Thread Alexander Bokovoy


On Mon, 10 Aug 2015, bahan w wrote:

Hello.

I don't know if you receive my previous mail, but thank you for your answer.

I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?

I don't think it ever matters as it only used for fallback reasons.


- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.

set KRB5_TRACE=/dev/stderr  in the execution environment and all
Kerberos code will start explaining what it does.

For example,
 KRB5_TRACE=/dev/stderr kinit
will show which server kinit will contact.



Best regards.

Bahan

On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy 
wrote:


On Fri, 07 Aug 2015, bahan w wrote:


Hello !

We are using freeipa version 3 and we are encountering a problem in our
environment.
We have one master kdc and two replicas.

On the different linux servers on our environment, we have the following
krb5.conf (I modified the hostname for NDA) :

###
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
default_realm = 
dns_lookup_realm = false
dns_lookup_kdc = false
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  = {
   kdc = host1.:88
   kdc = host2.:88
   kdc = host3.:88
   master_kdc = host2.:88
   admin_server = host2.:749
   default_domain 
   pkinit_anchors = FILE:/etc/ipa/ca.crt
 }

[domain_realm]
 . = 
  = 
 . = 
  = 
###

host1 is a physical machine
host2 and host3 are VM.

So I have some questions :
Q1 - Does it make sense to put the line master_kdc and admin_server to the
host2, which is a VM instead of the host1 which is a physical machine ?


According to manual page of 'krb5.conf',
---
master_kdc:
Identifies  the  master  KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC, in
case the user's password has just been changed, and the updated database
has not been propagated to the slave servers yet.
---

'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
actions in IPA.


Q2 - When I try to connect to the UI of host1, I can enter my

login/password and it works. When I try to connect to the UI of host2, I
have an error message saying my password is incorrect. When I try to
connect to the UI of host3, it works. Does it mean host1 and host3 are
synchronized but host2 is not ?


Most likely, yes.


Q3. Does the two last lines make sense ? I mean what is the exact usage of

the paragraph [domain_realm] ? Does it mean : if I try to connect to a
server with the domain listed in this list, then I will try to contact the
realm associated ?


Since you disabled DNS discovery of realm based on the DNS domain,
Kerberos library will perform some logic to find out which realm
corresponds to the domain. domain_realm section helps here.

krb5.conf manual page has clear explanation how the section is designed
to work.

--
/ Alexander Bokovoy




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-11 Thread bahan w

Wow thank you Alexander for this information !

Best regards.

Gwenael Le Barzic
Le 11 août 2015 08:45, "Alexander Bokovoy"  a écrit :

> On Mon, 10 Aug 2015, bahan w wrote:
>
>> Hello.
>>
>> I don't know if you receive my previous mail, but thank you for your
>> answer.
>>
>> I have two additionnal question then :
>> - Concerning the master_kdc line, is it better to put here the physical
>> machine or even to remove it if it is optional ?
>>
> I don't think it ever matters as it only used for fallback reasons.
>
> - Do you know how I can check which one of these three servers is currently
>> used per server with this krb5.conf ? I need to check how I can
>> resynchronize the last server.
>>
> set KRB5_TRACE=/dev/stderr  in the execution environment and all
> Kerberos code will start explaining what it does.
>
> For example,
>  KRB5_TRACE=/dev/stderr kinit
> will show which server kinit will contact.
>
>
>> Best regards.
>>
>> Bahan
>>
>> On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy 
>> wrote:
>>
>> On Fri, 07 Aug 2015, bahan w wrote:
>>>
>>> Hello !

 We are using freeipa version 3 and we are encountering a problem in our
 environment.
 We have one master kdc and two replicas.

 On the different linux servers on our environment, we have the following
 krb5.conf (I modified the hostname for NDA) :

 ###
 #File modified by ipa-client-install

 includedir /var/lib/sss/pubconf/krb5.include.d/

 [libdefaults]
 default_realm = 
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

 [realms]
   = {
kdc = host1.:88
kdc = host2.:88
kdc = host3.:88
master_kdc = host2.:88
admin_server = host2.:749
default_domain 
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

 [domain_realm]
  . = 
   = 
  . = 
   = 
 ###

 host1 is a physical machine
 host2 and host3 are VM.

 So I have some questions :
 Q1 - Does it make sense to put the line master_kdc and admin_server to
 the
 host2, which is a VM instead of the host1 which is a physical machine ?

 According to manual page of 'krb5.conf',
>>> ---
>>> master_kdc:
>>> Identifies  the  master  KDC(s). Currently, this tag is used in only
>>> one case: If an attempt to get credentials fails because of an invalid
>>> password, the client software will attempt to contact the master KDC, in
>>> case the user's password has just been changed, and the updated database
>>> has not been propagated to the slave servers yet.
>>> ---
>>>
>>> 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
>>> actions in IPA.
>>>
>>>
>>> Q2 - When I try to connect to the UI of host1, I can enter my
>>>
 login/password and it works. When I try to connect to the UI of host2, I
 have an error message saying my password is incorrect. When I try to
 connect to the UI of host3, it works. Does it mean host1 and host3 are
 synchronized but host2 is not ?

 Most likely, yes.
>>>
>>>
>>> Q3. Does the two last lines make sense ? I mean what is the exact usage
>>> of
>>>
 the paragraph [domain_realm] ? Does it mean : if I try to connect to a
 server with the domain listed in this list, then I will try to contact
 the
 realm associated ?

 Since you disabled DNS discovery of realm based on the DNS domain,
>>> Kerberos library will perform some logic to find out which realm
>>> corresponds to the domain. domain_realm section helps here.
>>>
>>> krb5.conf manual page has clear explanation how the section is designed
>>> to work.
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Concerning the krb5.conf

Re: [Freeipa-users] Concerning the krb5.conf

Re: [Freeipa-users] Concerning the krb5.conf

Re: [Freeipa-users] Concerning the krb5.conf

Re: [Freeipa-users] Concerning the krb5.conf

5 matches

Site Navigation

Mail list logo

Footer information