Re: [Freeipa-users] how to force switch to another kdc
On Tue, Jan 5, 2016 at 7:22 PM, Karl Forner wrote:
> update:
>
> modifying the /etc/krb5.conf, and replacing the name of my freeipa master
> by the replica fixes the problem.
> So that proves that the kdc is not picked up by discovery.
>
> The problem is that my ubuntu box was enrolled using the
> ipa-client-install script, and so should be properly configured.
>
> Did I miss any critical option ?
> What should the /etc/krb5.conf be like ?
>
Could you post your krb5.conf ?
This is a working example in a centos 6 host:
al-only additions here, put content in /etc/motd-local ##
]$ cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
#File modified by ipa-client-install
[libdefaults]
default_realm = IPA.DOMAIN.TLD
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
IPA.DOMAIN.TLD = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.ipa.domain.tld = IPA.DOMAIN.TLD
ipa.domain.tld = IPA.DOMAIN.TLD
--
regards,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
Thanks a lot, that works if I comment out the explicit reference to a
server name, and that I switch dns_lookup_kdc to true.
I think I understand why it was not working from the install:
I used the ipa-client-install with the option --server.
According to the man page, in the "Failover" section, I understand that
"DNS Autodiscovery" is enabled when no "fixed server was passed to the
installer", which makes sense a posteriori.
I think that closes my topic, thanks again for all the help I got !
On Tue, Jan 5, 2016 at 7:34 PM, Natxo Asenjo wrote:
>
>
> On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo
> wrote:
>
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = IPA.DOMAIN.TLD
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> rdns = false
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> IPA.DOMAIN.TLD = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> }
>>
>> [domain_realm]
>> .ipa.domain.tld = IPA.DOMAIN.TLD
>> ipa.domain.tld = IPA.DOMAIN.TLD
>>
>> ]$ cat /etc/krb5.conf
>>
>
> with this config I can reach any realm, by the way, provided it has srv
> records. It works for our AD forests as well.
>
> --
> Groeten,
> natxo
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
On Tue, 05 Jan 2016, Karl Forner wrote: update: modifying the /etc/krb5.conf, and replacing the name of my freeipa master by the replica fixes the problem. So that proves that the kdc is not picked up by discovery. This implies you have explicit line stating the KDC address in your krb5.conf. That means no DNS SRV record discovery will be done at all because there is no need to discover anything. Look at the Natxo's example in the other email. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo wrote:
> includedir /var/lib/sss/pubconf/krb5.include.d/
> #File modified by ipa-client-install
>
> [libdefaults]
> default_realm = IPA.DOMAIN.TLD
> dns_lookup_realm = true
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> IPA.DOMAIN.TLD = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .ipa.domain.tld = IPA.DOMAIN.TLD
> ipa.domain.tld = IPA.DOMAIN.TLD
>
> ]$ cat /etc/krb5.conf
>
with this config I can reach any realm, by the way, provided it has srv
records. It works for our AD forests as well.
--
Groeten,
natxo
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
update: modifying the /etc/krb5.conf, and replacing the name of my freeipa master by the replica fixes the problem. So that proves that the kdc is not picked up by discovery. The problem is that my ubuntu box was enrolled using the ipa-client-install script, and so should be properly configured. Did I miss any critical option ? What should the /etc/krb5.conf be like ? Thanks. On Tue, Jan 5, 2016 at 7:06 PM, Karl Forner wrote: > Another piece of information: > > the linux boxes are running ubuntu too, with the same configuration. > I have configured 2 dns servers, the first for my main freeipa server > (which is down), and rhe second for the replica. > After boot, the linux box can resolve addresses just fine, using the > secondary dns. But the box does not pick the kdc from the replica. > > It seems to only use the cache, since when I do a klist, I have a ticked > expiring at 01/01/1970: > Valid starting Expires Service principal > 01/01/1970 01:00:00 01/01/1970 01:00:00 > > If I do a kinit: > kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting > initial credentials > > And once again, from a box just rebooted. > > When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and > admin_server set for my domain. > From what I had understood, I thought they should be ignored, and that the > auto discovery should still happen. > Is that so ? > > Thanks. > > > > On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner > wrote: > >> Hello, >> >> My freeipa master has crashed, and I have a replica running. >> The problem is that I can not use anymore the webapps on my main server >> which use a kerberos authentication since my server will not switch to the >> kdc on my replica. >> >> I remember that someone replied me on this list about that problem, but >> I'd like to konw if there's something I can do besides rebooting my main >> server ? >> >> freeipa 4.3 >> >> sssd 1.12.5-1 running on ubuntu 14.04 >> >> Thanks. >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
Another piece of information: the linux boxes are running ubuntu too, with the same configuration. I have configured 2 dns servers, the first for my main freeipa server (which is down), and rhe second for the replica. After boot, the linux box can resolve addresses just fine, using the secondary dns. But the box does not pick the kdc from the replica. It seems to only use the cache, since when I do a klist, I have a ticked expiring at 01/01/1970: Valid starting Expires Service principal 01/01/1970 01:00:00 01/01/1970 01:00:00 If I do a kinit: kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials And once again, from a box just rebooted. When I look at my /etc/krb5.conf, there's a kdc, master_kdc, and admin_server set for my domain. >From what I had understood, I thought they should be ignored, and that the auto discovery should still happen. Is that so ? Thanks. On Tue, Jan 5, 2016 at 12:16 AM, Karl Forner wrote: > Hello, > > My freeipa master has crashed, and I have a replica running. > The problem is that I can not use anymore the webapps on my main server > which use a kerberos authentication since my server will not switch to the > kdc on my replica. > > I remember that someone replied me on this list about that problem, but > I'd like to konw if there's something I can do besides rebooting my main > server ? > > freeipa 4.3 > > sssd 1.12.5-1 running on ubuntu 14.04 > > Thanks. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
On Tue, Jan 5, 2016 at 8:14 AM, Jakub Hrozek wrote: > On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote: > > Hello, > > > > My freeipa master has crashed, and I have a replica running. > > The problem is that I can not use anymore the webapps on my main server > > which use a kerberos authentication since my server will not switch to > the > > kdc on my replica. > > As long as the authentication is done via sssd this should happen > automatically, well it does not seem to. The way I test it is using kinit. The only log that gets updated in /var/log/sssd is ldap_child.log.1 (what's strange is that there's a ldap_child.log which is empty). Each time I try a kinit, I get a log line like: (Tue Jan 5 18:10:55 2016) [[sssd[ldap_child[10069 [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Cannot contact any KDC for realm 'EXAMPLE.COM' I tried to send USR1 then USR2 to the main sssd process, without any improvement, In a previous email, Simo Sorce explained me that: Unfortunately it is, it is a bug in the way we update the krb5 libraries > to point to a KDC. > > SSSD updates this information in a file under /var/lib/sss/pubconf and > krb5 libraries read from it, however kinit cannot force sssd to > re-evaluate if the file needs updating. > > If you do a local login instead of a kinit, you will see that SSSD will > switch to the new server and subsequent kinit will start using it. > > This is tracked here: > https://fedorahosted.org/sssd/ticket/941 > Could this be related ? but you can send USR1 followed by USR2 to sssd to force > going offline and back online. It would be nice to look into the logs, > though, to see why wouldn't sssd fail over itself. > > > > > I remember that someone replied me on this list about that problem, but > I'd > > like to konw if there's something I can do besides rebooting my main > server > > ? > > > > freeipa 4.3 > > > > sssd 1.12.5-1 running on ubuntu 14.04 > > > > Thanks. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to force switch to another kdc
On Tue, Jan 05, 2016 at 12:16:48AM +0100, Karl Forner wrote: > Hello, > > My freeipa master has crashed, and I have a replica running. > The problem is that I can not use anymore the webapps on my main server > which use a kerberos authentication since my server will not switch to the > kdc on my replica. As long as the authentication is done via sssd this should happen automatically, but you can send USR1 followed by USR2 to sssd to force going offline and back online. It would be nice to look into the logs, though, to see why wouldn't sssd fail over itself. > > I remember that someone replied me on this list about that problem, but I'd > like to konw if there's something I can do besides rebooting my main server > ? > > freeipa 4.3 > > sssd 1.12.5-1 running on ubuntu 14.04 > > Thanks. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to force switch to another kdc
Hello, My freeipa master has crashed, and I have a replica running. The problem is that I can not use anymore the webapps on my main server which use a kerberos authentication since my server will not switch to the kdc on my replica. I remember that someone replied me on this list about that problem, but I'd like to konw if there's something I can do besides rebooting my main server ? freeipa 4.3 sssd 1.12.5-1 running on ubuntu 14.04 Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
