[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:07:23PM -0400, Simo Sorce wrote:
On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote:
> On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote:
> > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> > > Here you are.
> > > local master: kvm-02-guest11.testrelm.test
> > > replica: bkr-hv01-guest19.testrelm.test
> > >
> > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> > > includedir /etc/krb5.conf.d/
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > >
> > > [logging]
> > > default = FILE:/var/log/krb5libs.log
> > > kdc = FILE:/var/log/krb5kdc.log
> > > admin_server = FILE:/var/log/kadmind.log
> > >
> > > [libdefaults]
> > > default_realm = TESTRELM.TEST
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = true
> >
> > This ^^^^ sounds wrong on a master
>
> no, you need this to find any AD DC in a trusted forest.
Shouldn't SSSD do that for us via proper site discovery ?
yes, this is planned to some extent but you still have a chicken-egg
problem during 'ipa trust-add'.
But see my other email, I think there might be an issue or at least
unexpected behavior with our usage of the admin_server option in
/etc/krb5.conf.
bye,
Sumit
>
> Simo.
>
> > bye,
> > Sumit
> >
> > >
> > > Simo.
> > >
> > > --
> > > Simo Sorce
> > > Sr. Principal Software Engineer
> > > Red Hat, Inc
> > >
>
> --
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
>