Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
Chapter 8. Adjusting IdM clients during recovery
While IdM servers are being restored, you may need to adjust IdM clients to reflect changes in the replica topology.
Procedure
Adjusting DNS configuration:
-
If
/etc/hostscontains any references to IdM servers, ensure that hard-coded IP-to-hostname mappings are valid. -
If IdM clients are using IdM DNS for name resolution, ensure that the
nameserverentries in/etc/resolv.confpoint to working IdM replicas providing DNS services.
-
If
Adjusting Kerberos configuration:
By default, IdM clients look to DNS Service records for Kerberos servers, and will adjust to changes in the replica topology:
grep dns_lookup_kdc /etc/krb5.conf
[root@client ~]# grep dns_lookup_kdc /etc/krb5.conf dns_lookup_kdc = trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow If IdM clients have been hard-coded to use specific IdM servers in
/etc/krb5.conf:grep dns_lookup_kdc /etc/krb5.conf
[root@client ~]# grep dns_lookup_kdc /etc/krb5.conf dns_lookup_kdc = falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow make sure
kdc,master_kdcandadmin_serverentries in/etc/krb5.confare pointing to IdM servers that work properly:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Adjusting SSSD configuration:
By default, IdM clients look to DNS Service records for LDAP servers and adjust to changes in the replica topology:
grep ipa_server /etc/sssd/sssd.conf
[root@client ~]# grep ipa_server /etc/sssd/sssd.conf ipa_server = _srv_, functional-server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow If IdM clients have been hard-coded to use specific IdM servers in
/etc/sssd/sssd.conf, make sure theipa_serverentry points to IdM servers that are working properly:grep ipa_server /etc/sssd/sssd.conf
[root@client ~]# grep ipa_server /etc/sssd/sssd.conf ipa_server = functional-server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Clearing SSSD’s cached information:
The SSSD cache may contain outdated information pertaining to lost servers. If users experience inconsistent authentication problems, purge the SSSD cache :
sss_cache -E
[root@client ~]# sss_cache -ECopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify the Kerberos configuration by retrieving a Kerberos Ticket-Granting-Ticket as an IdM user.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Verify the SSSD configuration by retrieving IdM user information.
id admin
[root@client ~]# id admin uid=1965200000(admin) gid=1965200000(admins) groups=1965200000(admins)Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}