Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 8. Adjusting IdM clients during recovery

While IdM servers are being restored, you may need to adjust IdM clients to reflect changes in the replica topology.

Procedure

  1. Adjusting DNS configuration:

    1. If /etc/hosts contains any references to IdM servers, ensure that hard-coded IP-to-hostname mappings are valid.
    2. If IdM clients are using IdM DNS for name resolution, ensure that the nameserver entries in /etc/resolv.conf point to working IdM replicas providing DNS services.

  2. Adjusting Kerberos configuration:

    1. By default, IdM clients look to DNS Service records for Kerberos servers, and will adjust to changes in the replica topology: 

      [root@client ~]# grep dns_lookup_kdc /etc/krb5.conf
  dns_lookup_kdc = true
      Copy to Clipboard Toggle word wrap

    2. If IdM clients have been hard-coded to use specific IdM servers in /etc/krb5.conf: 

      [root@client ~]# grep dns_lookup_kdc /etc/krb5.conf
  dns_lookup_kdc = false
      Copy to Clipboard Toggle word wrap

      make sure kdc, master_kdc and admin_server entries in /etc/krb5.conf are pointing to IdM servers that work properly: 

      [realms]
 EXAMPLE.COM = {
  kdc = functional-server.example.com:88
  master_kdc = functional-server.example.com:88
  admin_server = functional-server.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
      Copy to Clipboard Toggle word wrap

  3. Adjusting SSSD configuration:

    1. By default, IdM clients look to DNS Service records for LDAP servers and adjust to changes in the replica topology: 

      [root@client ~]# grep ipa_server /etc/sssd/sssd.conf
ipa_server = _srv_, functional-server.example.com
      Copy to Clipboard Toggle word wrap

    2. If IdM clients have been hard-coded to use specific IdM servers in /etc/sssd/sssd.conf, make sure the ipa_server entry points to IdM servers that are working properly: 

      [root@client ~]# grep ipa_server /etc/sssd/sssd.conf
ipa_server = functional-server.example.com
      Copy to Clipboard Toggle word wrap

  4. Clearing SSSD’s cached information:

    • The SSSD cache may contain outdated information pertaining to lost servers. If users experience inconsistent authentication problems, purge the SSSD cache : 

      [root@client ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap

Verification

  1. Verify the Kerberos configuration by retrieving a Kerberos Ticket-Granting-Ticket as an IdM user. 

    [root@client ~]# kinit admin
Password for admin@EXAMPLE.COM:

[root@client ~]# klist
Ticket cache: KCM:0
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
10/31/2019 18:44:58  11/25/2019 18:44:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Verify the SSSD configuration by retrieving IdM user information. 

    [root@client ~]# id admin
uid=1965200000(admin) gid=1965200000(admins) groups=1965200000(admins)
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba