Krb5.conf where i can write my other Kerberos Servers?

boospy · July 30, 2020, 11:05pm

Hello all,

here is my default Kerberos Config, that was generated on my KDE NEON from UCS Domainjoin.
Using here UCS 4.4.5

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = TUX.CC

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/TUX.CC]
auth_provider = krb5
krb5_realm = TUX.CC
krb5_server = dc1.tux.cc
krb5_kpasswd = dc1.tux.cc
id_provider = ldap
ldap_uri = ldap://dc1.tux.cc:7389
ldap_search_base = dc=tux,dc=cc
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=mypc,cn=home,cn=computers,dc=tux,dc=cc
ldap_default_authtok_type = password
ldap_default_authtok = secret

So where is the right place for more then only the master Server? Where i can write my backup domaincontroller? Is it this?

krb5_server = dc1.tux.cc dc2.tux.cc dc3.tux.cc
krb5_kpasswd = dc1.tux.cc dc2.tux.cc dc3.tux.cc

Both?

Very Thanks and Best Regards

boospy · August 1, 2020, 8:35pm

I found this https://linux.die.net/man/5/sssd-ldap
In the local Manpage of Ubuntu i did not find this things like this:

krb5_backup_server
ldap_backup_uri

not yet tested, but the SSSD service starts

SirTux · August 2, 2020, 3:23pm

I would give this a try:

SERVICE DISCOVERY
       The service discovery feature allows back ends to automatically find the appropriate servers to connect to using a special DNS query. This feature is not supported for backup servers.

   Configuration
       If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword,
       “_srv_”, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can
       be discovered using DNS.

   The domain name
       Please refer to the “dns_discovery_domain” parameter in the sssd.conf(5) manual page for more details.

   The protocol
       The queries usually specify _tcp as the protocol. Exceptions are documented in respective option description.

   See Also
       For more information on the service discovery mechanism, refer to RFC 2782.

boospy · August 2, 2020, 6:03pm

Yes, should work, but, no not really. I’ve tested it on us environments. Maybe Windowsclients do use this. But not Linuxclients. You don’t notice it because the sssd caches everything. But there is no Kerberosticket.

boospy · August 18, 2020, 7:30pm

I spend time on this project, and tested it here on my env. And no, without extra entries, there is no redundants. My whole report and my working configfiles here in my Wiki:

https://deepdoc.at/dokuwiki/doku.php?id=prebuilt_systems:ucs:kerberos_ausfallsicherheit_und_richtige_config_von_sssd_am_kde_neon_ubuntuclient_mit_ucs