9:09 a.m.
Hello!
we get the next error when we try to create a kerberos ticket:
kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial
credentials
/etc/krb5.conf:
[libdefaults]
default_realm = TEST.INTERN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TEST.INTERN = {
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.net = TEST.INTERN
domain.net = TEST.INTERN
client1.domain.net = TEST.INTERN
The DNS Record from FreeIPA for Autodiscover are working. if I add kdc =
ipaserver.domain.net > I get the kerberos Ticket. But we want to use autodiscovery for
failover. So we do not want to add the sever address on every client.
Do you have some Idea? Thanks
9:13 a.m.
You might not be able to auto-discover the realm (dns_lookup_realm = true).
Have you tried manually configuring DOMAIN.NET?
[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.NET = {
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
client1.domain.net = DOMAIN.NET
On 2/16/22 10:09 AM, David Galarreta via FreeIPA-users wrote:
Hello!
we get the next error when we try to create a kerberos ticket:
kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial
credentials
/etc/krb5.conf:
[libdefaults]
default_realm = TEST.INTERN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TEST.INTERN = {
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.net = TEST.INTERN
domain.net = TEST.INTERN
client1.domain.net = TEST.INTERN
The DNS Record from FreeIPA for Autodiscover are working. if I add kdc =
ipaserver.domain.net > I get the kerberos Ticket. But we want to use autodiscovery for
failover. So we do not want to add the sever address on every client.
Do you have some Idea? Thanks
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
9:51 a.m.
Am Wed, Feb 16, 2022 at 03:09:00PM -0000 schrieb David Galarreta via FreeIPA-users:
Hello!
we get the next error when we try to create a kerberos ticket:
kinit: Cannot find KDC for realm "TEST.INTERN" while getting initial
credentials
/etc/krb5.conf:
[libdefaults]
default_realm = TEST.INTERN
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TEST.INTERN = {
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.domain.net = TEST.INTERN
domain.net = TEST.INTERN
client1.domain.net = TEST.INTERN
The DNS Record from FreeIPA for Autodiscover are working. if I add kdc =
ipaserver.domain.net > I get the kerberos Ticket. But we want to use autodiscovery for
failover. So we do not want to add the sever address on every client.
Hi,
this is most probably related to SSSD running on the same host. SSSD
provides a plugin for libkrb5 to make sure a single KDC is used as long
as possible. This is to avoid issues in environments like AD or IPA
where some data must be replicated from one domain controller to the
other. If
SSSD_KRB5_LOCATOR_DISABLE=1 kinit ....
works as expected then the locator plugin might be using some stale
data. You can check this in /var/lib/sss/pubconf/kdcinfo.TEST.INTERN
which should contain multiple IP addresses and DNS names of KDCs from
TEST.INTERN.
bye,
Sumit
Do you have some Idea? Thanks
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
4:48 a.m.
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
"IPA actually expects that primary domain and realm are the same (naming context
above has to be the same as the primary domain) "
We created DNS Records for the Domain and for the Realm. Now is working
798
days inactive
805
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
David Galarreta -
Striker Leggette -
Sumit Bose