[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Tue, Oct 03, 2017 at 05:16:24PM -0400, Robbie Harwood wrote: > Sumit Bosewrites: > > > On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote: > >> On (12/09/17 18:44), Sumit Bose wrote: > >>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: > ehlo, > > I realized that it might be better to discuss it here rather then in > pull requests because it seems to be related to two different commits. > > I will describe a test case on master with already created replica on > another > host. > * kinit as admin > // create user with dummy password > * echo $dummypw | ipa user-add $login --first "$firstname" --last > "$lastname" \ > --password > > // adding sleep think that first kinit hits slave sometimes and the > user is > // not replicated yet. > * sleep 2 > * FirstKinitAs $login $dummypw $password > > FirstKinitAs is a bash function which change initial password > something like: echo -e "$password\n$newpassword\n$newpassword" | kinit > -V $username > > Such test works reliably with 1.15.3 and kinit always talk to local > master > (I didn't try to remove sleep 2) > > > But situation changed a little bit with git master due to following > commits > IPA: Only generate kdcinfo files on clients > https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > >>> > >>> Do you have the /etc/krb5.conf available from the host where the > >>> test failed. The above patch was written with the assumption that > >>> /etc/krb5.conf on the IPA server points to the server itself as > >>> ipa-server-install creates it: > >>> > >>>[realms] > >>> IPA.DEVEL = { > >>> kdc = ipa-devel.ipa.devel:88 > >>> master_kdc = ipa-devel.ipa.devel:88 > >>> admin_server = ipa-devel.ipa.devel:749 > >>> default_domain = ipa.devel > >>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>>} > >>> > >>>Currently I would assume that at least admin_server is missing. > >>> > >> Here you are. > >> local master: kvm-02-guest11.testrelm.test > >> replica: bkr-hv01-guest19.testrelm.test > >> > >> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > >> includedir /etc/krb5.conf.d/ > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > >> > >> [logging] > >> default = FILE:/var/log/krb5libs.log > >> kdc = FILE:/var/log/krb5kdc.log > >> admin_server = FILE:/var/log/kadmind.log > >> > >> [libdefaults] > >> default_realm = TESTRELM.TEST > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> rdns = false > >> ticket_lifetime = 24h > >> forwardable = true > >> udp_preference_limit = 0 > >> default_ccache_name = KEYRING:persistent:%{uid} > >> > >> [realms] > >> TESTRELM.TEST = { > >> kdc = kvm-02-guest11.testrelm.test:88 > >> master_kdc = kvm-02-guest11.testrelm.test:88 > >> admin_server = kvm-02-guest11.testrelm.test:749 > >> default_domain = testrelm.test > >> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > >> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > >> } > > > > Thank you, so the krb5.conf has the expected entries. I did some testing > > and found that libkrb5 does a DNS SRV lookup to find the kpasswd server > > although the man page says: > > > > """ > >kpasswd_server > > Points to the server where all the password changes are > > performed. If there is no such entry, the port 464 on the admin_server > > host will be tried. > > """ > > > > To me it looks like the advertised fallback to admin_server if there is > > no kpasswd_server defined does not work. > > > > Robbie, is this expected or is it possible that there is an issue in > > libkrb5? > > It's possible there's an issue, but I'd need to look more. Could you > file a ticket so we can track it? Thank you, I opened https://bugzilla.redhat.com/show_bug.cgi?id=1498347. bye, Sumit > > Thanks, > --Robbie ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
Sumit Bosewrites: > On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote: >> On (12/09/17 18:44), Sumit Bose wrote: >>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: ehlo, I realized that it might be better to discuss it here rather then in pull requests because it seems to be related to two different commits. I will describe a test case on master with already created replica on another host. * kinit as admin // create user with dummy password * echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" \ --password // adding sleep think that first kinit hits slave sometimes and the user is // not replicated yet. * sleep 2 * FirstKinitAs $login $dummypw $password FirstKinitAs is a bash function which change initial password something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V $username Such test works reliably with 1.15.3 and kinit always talk to local master (I didn't try to remove sleep 2) But situation changed a little bit with git master due to following commits IPA: Only generate kdcinfo files on clients https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 >>> >>> Do you have the /etc/krb5.conf available from the host where the >>> test failed. The above patch was written with the assumption that >>> /etc/krb5.conf on the IPA server points to the server itself as >>> ipa-server-install creates it: >>> >>>[realms] >>> IPA.DEVEL = { >>> kdc = ipa-devel.ipa.devel:88 >>> master_kdc = ipa-devel.ipa.devel:88 >>> admin_server = ipa-devel.ipa.devel:749 >>> default_domain = ipa.devel >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>} >>> >>>Currently I would assume that at least admin_server is missing. >>> >> Here you are. >> local master: kvm-02-guest11.testrelm.test >> replica: bkr-hv01-guest19.testrelm.test >> >> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf >> includedir /etc/krb5.conf.d/ >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = TESTRELM.TEST >> dns_lookup_realm = false >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = true >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> TESTRELM.TEST = { >> kdc = kvm-02-guest11.testrelm.test:88 >> master_kdc = kvm-02-guest11.testrelm.test:88 >> admin_server = kvm-02-guest11.testrelm.test:749 >> default_domain = testrelm.test >> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem >> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem >> } > > Thank you, so the krb5.conf has the expected entries. I did some testing > and found that libkrb5 does a DNS SRV lookup to find the kpasswd server > although the man page says: > > """ >kpasswd_server > Points to the server where all the password changes are > performed. If there is no such entry, the port 464 on the admin_server > host will be tried. > """ > > To me it looks like the advertised fallback to admin_server if there is > no kpasswd_server defined does not work. > > Robbie, is this expected or is it possible that there is an issue in > libkrb5? It's possible there's an issue, but I'd need to look more. Could you file a ticket so we can track it? Thanks, --Robbie signature.asc Description: PGP signature ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:07:23PM -0400, Simo Sorce wrote: > On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote: > > On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote: > > > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > > > > Here you are. > > > > local master: kvm-02-guest11.testrelm.test > > > > replica: bkr-hv01-guest19.testrelm.test > > > > > > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > > > > includedir /etc/krb5.conf.d/ > > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > > > > > [logging] > > > > default = FILE:/var/log/krb5libs.log > > > > kdc = FILE:/var/log/krb5kdc.log > > > > admin_server = FILE:/var/log/kadmind.log > > > > > > > > [libdefaults] > > > > default_realm = TESTRELM.TEST > > > > dns_lookup_realm = false > > > > dns_lookup_kdc = true > > > > > > This sounds wrong on a master > > > > no, you need this to find any AD DC in a trusted forest. > > Shouldn't SSSD do that for us via proper site discovery ? yes, this is planned to some extent but you still have a chicken-egg problem during 'ipa trust-add'. But see my other email, I think there might be an issue or at least unexpected behavior with our usage of the admin_server option in /etc/krb5.conf. bye, Sumit > > Simo. > > > bye, > > Sumit > > > > > > > > Simo. > > > > > > -- > > > Simo Sorce > > > Sr. Principal Software Engineer > > > Red Hat, Inc > > > > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote: > On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote: > > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > > > Here you are. > > > local master: kvm-02-guest11.testrelm.test > > > replica: bkr-hv01-guest19.testrelm.test > > > > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > > > includedir /etc/krb5.conf.d/ > > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > > > [logging] > > > default = FILE:/var/log/krb5libs.log > > > kdc = FILE:/var/log/krb5kdc.log > > > admin_server = FILE:/var/log/kadmind.log > > > > > > [libdefaults] > > > default_realm = TESTRELM.TEST > > > dns_lookup_realm = false > > > dns_lookup_kdc = true > > > > This sounds wrong on a master > > no, you need this to find any AD DC in a trusted forest. Shouldn't SSSD do that for us via proper site discovery ? Simo. > bye, > Sumit > > > > > Simo. > > > > -- > > Simo Sorce > > Sr. Principal Software Engineer > > Red Hat, Inc > > -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote: > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > > Here you are. > > local master: kvm-02-guest11.testrelm.test > > replica: bkr-hv01-guest19.testrelm.test > > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > > includedir /etc/krb5.conf.d/ > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > default_realm = TESTRELM.TEST > > dns_lookup_realm = false > > dns_lookup_kdc = true > > This sounds wrong on a master no, you need this to find any AD DC in a trusted forest. bye, Sumit > > Simo. > > -- > Simo Sorce > Sr. Principal Software Engineer > Red Hat, Inc > ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote: > On (12/09/17 18:44), Sumit Bose wrote: > >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: > >> ehlo, > >> > >> I realized that it might be better to discuss it here rather then in > >> pull requests because it seems to be related to two different commits. > >> > >> I will describe a test case on master with already created replica on > >> another > >> host. > >> * kinit as admin > >> // create user with dummy password > >> * echo $dummypw | ipa user-add $login --first "$firstname" --last > >> "$lastname" \ > >>--password > >> > >> // adding sleep think that first kinit hits slave sometimes and the > >> user is > >> // not replicated yet. > >> * sleep 2 > >> * FirstKinitAs $login $dummypw $password > >> > >> FirstKinitAs is a bash function which change initial password > >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V > >> $username > >> > >> Such test works reliably with 1.15.3 and kinit always talk to local master > >> (I didn't try to remove sleep 2) > >> > >> > >> But situation changed a little bit with git master due to following commits > >> IPA: Only generate kdcinfo files on clients > >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > > > >Do you have the /etc/krb5.conf available from the host where the test > >failed. The above patch was written with the assumption that > >/etc/krb5.conf on the IPA server points to the server itself as > >ipa-server-install creates it: > > > >[realms] > > IPA.DEVEL = { > > kdc = ipa-devel.ipa.devel:88 > > master_kdc = ipa-devel.ipa.devel:88 > > admin_server = ipa-devel.ipa.devel:749 > > default_domain = ipa.devel > > pkinit_anchors = FILE:/etc/ipa/ca.crt > >} > > > >Currently I would assume that at least admin_server is missing. > > > Here you are. > local master: kvm-02-guest11.testrelm.test > replica: bkr-hv01-guest19.testrelm.test > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = TESTRELM.TEST > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > ticket_lifetime = 24h > forwardable = true > udp_preference_limit = 0 > default_ccache_name = KEYRING:persistent:%{uid} > > [realms] > TESTRELM.TEST = { > kdc = kvm-02-guest11.testrelm.test:88 > master_kdc = kvm-02-guest11.testrelm.test:88 > admin_server = kvm-02-guest11.testrelm.test:749 > default_domain = testrelm.test > pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > } Thank you, so the krb5.conf has the expected entries. I did some testing and found that libkrb5 does a DNS SRV lookup to find the kpasswd server although the man page says: """ kpasswd_server Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the admin_server host will be tried. """ To me it looks like the advertised fallback to admin_server if there is no kpasswd_server defined does not work. Robbie, is this expected or is it possible that there is an issue in libkrb5? bye, Sumit > > [domain_realm] > .testrelm.test = TESTRELM.TEST > testrelm.test = TESTRELM.TEST > kvm-02-guest11.testrelm.test = TESTRELM.TEST > > [dbmodules] > TESTRELM.TEST = { > db_library = ipadb.so > } > > > > [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/ > ipa-certauth > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth > [plugins] > certauth = { > module = ipakdb:kdb/ipadb.so > enable_only = ipakdb > } > > > > [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/ > domain_realm_testrelm_test krb5_libdefaults localauth_plugin > [root@kvm-02-guest11 ~]# cat > /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test > [domain_realm] > [root@kvm-02-guest11 ~]# cat > /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults > [libdefaults] > canonicalize = true > [root@kvm-02-guest11 ~]# cat > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin > [plugins] > localauth = { > module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so > } > > > > > > > - > Added user "delegatuser2" > - > User login: delegatuser2 > First name: first > Last name: last > Full name: first last > Display name: first last > Initials: fl > Home directory: /home/delegatuser2 > GECOS: first last > Login shell: /bin/sh > Principal name: delegatus...@testrelm.test > Principal alias: delegatus...@testrelm.test > Email address: delegatus...@testrelm.test > UID: 1622800023 > GID: 1622800023 > Password: True > Member of groups:
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote: > Here you are. > local master: kvm-02-guest11.testrelm.test > replica: bkr-hv01-guest19.testrelm.test > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > includedir /etc/krb5.conf.d/ > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = TESTRELM.TEST > dns_lookup_realm = false > dns_lookup_kdc = true This sounds wrong on a master Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (21/09/17 13:33), Jakub Hrozek wrote: >On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote: >> On (21/09/17 13:22), Jakub Hrozek wrote: >> >clients. But I thought krb5.conf should also contain only the local >> >master..does the config file in the issue you saw contain something >> >else? >> > >> >I mean, if we revert the patch and krb5.conf contains no records or multiple >> >records, then I think the libkrb5 configuration is broken and we are relying >> >on sssd injecting a valid value into an otherwise invalid krb5 >> >configuration. >> > >> >> I'm waiting for machine to see content of krb5.conf and then I'll check >> Sumit's assumption. > >I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC >libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and >the kdcinfo file would contain a v4 address. > >But then I guess reverting the patch and injecting the kdcinfo file >would help.. If it's a bug in krb5-libs then we should fix it (because it can cause intermittent failures in other tests); * reverting the patch might be a temporary workaround. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 18:44), Sumit Bose wrote: >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: >> ehlo, >> >> I realized that it might be better to discuss it here rather then in >> pull requests because it seems to be related to two different commits. >> >> I will describe a test case on master with already created replica on another >> host. >> * kinit as admin >> // create user with dummy password >> * echo $dummypw | ipa user-add $login --first "$firstname" --last >> "$lastname" \ >>--password >> >> // adding sleep think that first kinit hits slave sometimes and the user >> is >> // not replicated yet. >> * sleep 2 >> * FirstKinitAs $login $dummypw $password >> >> FirstKinitAs is a bash function which change initial password >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> $username >> >> Such test works reliably with 1.15.3 and kinit always talk to local master >> (I didn't try to remove sleep 2) >> >> >> But situation changed a little bit with git master due to following commits >> IPA: Only generate kdcinfo files on clients >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > >Do you have the /etc/krb5.conf available from the host where the test >failed. The above patch was written with the assumption that >/etc/krb5.conf on the IPA server points to the server itself as >ipa-server-install creates it: > >[realms] > IPA.DEVEL = { > kdc = ipa-devel.ipa.devel:88 > master_kdc = ipa-devel.ipa.devel:88 > admin_server = ipa-devel.ipa.devel:749 > default_domain = ipa.devel > pkinit_anchors = FILE:/etc/ipa/ca.crt >} > >Currently I would assume that at least admin_server is missing. > Here you are. local master: kvm-02-guest11.testrelm.test replica: bkr-hv01-guest19.testrelm.test [root@kvm-02-guest11 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTRELM.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] TESTRELM.TEST = { kdc = kvm-02-guest11.testrelm.test:88 master_kdc = kvm-02-guest11.testrelm.test:88 admin_server = kvm-02-guest11.testrelm.test:749 default_domain = testrelm.test pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .testrelm.test = TESTRELM.TEST testrelm.test = TESTRELM.TEST kvm-02-guest11.testrelm.test = TESTRELM.TEST [dbmodules] TESTRELM.TEST = { db_library = ipadb.so } [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/ ipa-certauth [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/ domain_realm_testrelm_test krb5_libdefaults localauth_plugin [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test [domain_realm] [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults [libdefaults] canonicalize = true [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so } - Added user "delegatuser2" - User login: delegatuser2 First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/delegatuser2 GECOS: first last Login shell: /bin/sh Principal name: delegatus...@testrelm.test Principal alias: delegatus...@testrelm.test Email address: delegatus...@testrelm.test UID: 1622800023 GID: 1622800023 Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: add test user account (Expected 0, got 0) :: [ BEGIN ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com passw0rd1' [3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0 Using default cache: persistent:0:0 Using principal: delegatus...@testrelm.test [3192] 1505997473.161781: Getting initial credentials for delegatus...@testrelm.test [3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test [3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.164235: Sending TCP request
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote: > On (21/09/17 13:22), Jakub Hrozek wrote: > >clients. But I thought krb5.conf should also contain only the local > >master..does the config file in the issue you saw contain something > >else? > > > >I mean, if we revert the patch and krb5.conf contains no records or multiple > >records, then I think the libkrb5 configuration is broken and we are relying > >on sssd injecting a valid value into an otherwise invalid krb5 configuration. > > > > I'm waiting for machine to see content of krb5.conf and then I'll check > Sumit's assumption. I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and the kdcinfo file would contain a v4 address. But then I guess reverting the patch and injecting the kdcinfo file would help.. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (21/09/17 13:22), Jakub Hrozek wrote: >On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: >> On (12/09/17 15:45), Lukas Slebodnik wrote: >> >ehlo, >> > >> >I realized that it might be better to discuss it here rather then in >> >pull requests because it seems to be related to two different commits. >> > >> >I will describe a test case on master with already created replica on >> >another >> >host. >> >* kinit as admin >> >// create user with dummy password >> >* echo $dummypw | ipa user-add $login --first "$firstname" --last >> >"$lastname" \ >> > --password >> > >> >// adding sleep think that first kinit hits slave sometimes and the >> > user is >> >// not replicated yet. >> >* sleep 2 >> >* FirstKinitAs $login $dummypw $password >> > >> >FirstKinitAs is a bash function which change initial password >> >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> >$username >> > >> >Such test works reliably with 1.15.3 and kinit always talk to local master >> >(I didn't try to remove sleep 2) >> > >> > >> >But situation changed a little bit with git master due to following commits >> >IPA: Only generate kdcinfo files on clients >> >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 >> >> Jakub, >> Could you explain what was the purpose of the patch? > >Protect against generating kdcinfo files that contain a different >address than the IPA master we are running at. The bug itself is just >additional protection from sssd messing up a valid krb5.conf >configuration. > >> Because I do not think that patch fix anything. >> >> If there were some issues with generated kdcinfo files on ipa replicas >> then I assume it is a bug in replica promotion which left _srv_ in >> ipa_server > >Yes, but even if that bug is fixed, it is pointless to generate the >files, because the only address that will ever make sense is the IPA >server. And it should be already defined in krb5.conf. > >> >> https://pagure.io/freeipa/issue/7127 >> https://github.com/freeipa/freeipa/pull/1005 >> >> Because my experience is that after reverting patch >> a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo >> just for local kdc server and sssd_krb5_locator_plugin.so will >> use it and do not allow krb5 libs to try srv discovery. > >Yes, but you don't want to allow SRV discovery on the masters. Only on >clients. But I thought krb5.conf should also contain only the local >master..does the config file in the issue you saw contain something >else? > >I mean, if we revert the patch and krb5.conf contains no records or multiple >records, then I think the libkrb5 configuration is broken and we are relying >on sssd injecting a valid value into an otherwise invalid krb5 configuration. > I'm waiting for machine to see content of krb5.conf and then I'll check Sumit's assumption. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: > On (12/09/17 15:45), Lukas Slebodnik wrote: > >ehlo, > > > >I realized that it might be better to discuss it here rather then in > >pull requests because it seems to be related to two different commits. > > > >I will describe a test case on master with already created replica on another > >host. > >* kinit as admin > >// create user with dummy password > >* echo $dummypw | ipa user-add $login --first "$firstname" --last > >"$lastname" \ > > --password > > > >// adding sleep think that first kinit hits slave sometimes and the user > > is > >// not replicated yet. > >* sleep 2 > >* FirstKinitAs $login $dummypw $password > > > >FirstKinitAs is a bash function which change initial password > >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V > >$username > > > >Such test works reliably with 1.15.3 and kinit always talk to local master > >(I didn't try to remove sleep 2) > > > > > >But situation changed a little bit with git master due to following commits > >IPA: Only generate kdcinfo files on clients > >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > > Jakub, > Could you explain what was the purpose of the patch? Protect against generating kdcinfo files that contain a different address than the IPA master we are running at. The bug itself is just additional protection from sssd messing up a valid krb5.conf configuration. > Because I do not think that patch fix anything. > > If there were some issues with generated kdcinfo files on ipa replicas > then I assume it is a bug in replica promotion which left _srv_ in > ipa_server Yes, but even if that bug is fixed, it is pointless to generate the files, because the only address that will ever make sense is the IPA server. And it should be already defined in krb5.conf. > > https://pagure.io/freeipa/issue/7127 > https://github.com/freeipa/freeipa/pull/1005 > > Because my experience is that after reverting patch > a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo > just for local kdc server and sssd_krb5_locator_plugin.so will > use it and do not allow krb5 libs to try srv discovery. Yes, but you don't want to allow SRV discovery on the masters. Only on clients. But I thought krb5.conf should also contain only the local master..does the config file in the issue you saw contain something else? I mean, if we revert the patch and krb5.conf contains no records or multiple records, then I think the libkrb5 configuration is broken and we are relying on sssd injecting a valid value into an otherwise invalid krb5 configuration. > > I might be wrong or I could miss something and there might be > something else fishy in ipa*-install. > > LS > ___ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 15:45), Lukas Slebodnik wrote: >ehlo, > >I realized that it might be better to discuss it here rather then in >pull requests because it seems to be related to two different commits. > >I will describe a test case on master with already created replica on another >host. >* kinit as admin >// create user with dummy password >* echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" \ > --password > >// adding sleep think that first kinit hits slave sometimes and the user is >// not replicated yet. >* sleep 2 >* FirstKinitAs $login $dummypw $password > >FirstKinitAs is a bash function which change initial password >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >$username > >Such test works reliably with 1.15.3 and kinit always talk to local master >(I didn't try to remove sleep 2) > > >But situation changed a little bit with git master due to following commits >IPA: Only generate kdcinfo files on clients >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 Jakub, Could you explain what was the purpose of the patch? Because I do not think that patch fix anything. If there were some issues with generated kdcinfo files on ipa replicas then I assume it is a bug in replica promotion which left _srv_ in ipa_server https://pagure.io/freeipa/issue/7127 https://github.com/freeipa/freeipa/pull/1005 Because my experience is that after reverting patch a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo just for local kdc server and sssd_krb5_locator_plugin.so will use it and do not allow krb5 libs to try srv discovery. I might be wrong or I could miss something and there might be something else fishy in ipa*-install. LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On (12/09/17 18:44), Sumit Bose wrote: >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: >> ehlo, >> >> I realized that it might be better to discuss it here rather then in >> pull requests because it seems to be related to two different commits. >> >> I will describe a test case on master with already created replica on another >> host. >> * kinit as admin >> // create user with dummy password >> * echo $dummypw | ipa user-add $login --first "$firstname" --last >> "$lastname" \ >>--password >> >> // adding sleep think that first kinit hits slave sometimes and the user >> is >> // not replicated yet. >> * sleep 2 >> * FirstKinitAs $login $dummypw $password >> >> FirstKinitAs is a bash function which change initial password >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> $username >> >> Such test works reliably with 1.15.3 and kinit always talk to local master >> (I didn't try to remove sleep 2) >> >> >> But situation changed a little bit with git master due to following commits >> IPA: Only generate kdcinfo files on clients >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > >Do you have the /etc/krb5.conf available from the host where the test >failed. The above patch was written with the assumption that >/etc/krb5.conf on the IPA server points to the server itself as >ipa-server-install creates it: > >[realms] > IPA.DEVEL = { > kdc = ipa-devel.ipa.devel:88 > master_kdc = ipa-devel.ipa.devel:88 > admin_server = ipa-devel.ipa.devel:749 > default_domain = ipa.devel > pkinit_anchors = FILE:/etc/ipa/ca.crt >} > >Currently I would assume that at least admin_server is missing. > >> localauth plugin: change return code of sss_an2ln >> https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e > >I'm a bit surprised here because it is not clear to me where during the >test an2ln is used. But if it is the case it might point to an issue at >a different place because the old return code was wrong according to the >documentation of the plugin. > I probably mixed versions of packages when I ran test. Because reverting patch for krb5_localauth plugin did not help and it still fails -- Added user "selfservuser1" -- User login: selfservuser1 First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/selfservuser1 GECOS: first last Login shell: /bin/sh Principal name: selfservus...@testrelm.test Principal alias: selfservus...@testrelm.test Email address: selfservus...@testrelm.test UID: 71621 GID: 71621 Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: add test user account (Expected 0, got 0) :: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com passw0rd1' [1836] 1505231102.633534: Destroying ccache KEYRING:persistent:0:0 Using default cache: persistent:0:0 Using principal: selfservus...@testrelm.test [1838] 1505231102.639333: Getting initial credentials for selfservus...@testrelm.test [1838] 1505231102.641609: Sending request (183 bytes) to TESTRELM.TEST [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [1838] 1505231102.641757: Resolving hostname bkr-hv03-guest38.testrelm.test [1838] 1505231102.642102: Initiating TCP connection to stream 10.19.41.68:88 [1838] 1505231102.642170: Sending TCP request to stream 10.19.41.68:88 [1838] 1505231102.644813: Received answer (186 bytes) from stream 10.19.41.68:88 [1838] 1505231102.644822: Terminating TCP connection to stream 10.19.41.68:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [1838] 1505231102.644878: Response was from master KDC [1838] 1505231102.644897: Received error from KDC: -1765328361/Password has expired [1838] 1505231102.644915: Principal expired; getting changepw ticket [1838] 1505231102.644921: Getting initial credentials for selfservus...@testrelm.test [1838] 1505231102.644936: Setting initial creds service to kadmin/changepw [1838] 1505231102.644954: Sending request (178 bytes) to TESTRELM.TEST (master) [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [1838] 1505231102.644973: Resolving hostname bkr-hv03-guest38.testrelm.test [1838] 1505231102.645055: Initiating TCP connection to stream 10.19.41.68:88 [1838]
[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC
On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: > ehlo, > > I realized that it might be better to discuss it here rather then in > pull requests because it seems to be related to two different commits. > > I will describe a test case on master with already created replica on another > host. > * kinit as admin > // create user with dummy password > * echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" > \ >--password > > // adding sleep think that first kinit hits slave sometimes and the user > is > // not replicated yet. > * sleep 2 > * FirstKinitAs $login $dummypw $password > > FirstKinitAs is a bash function which change initial password > something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V > $username > > Such test works reliably with 1.15.3 and kinit always talk to local master > (I didn't try to remove sleep 2) > > > But situation changed a little bit with git master due to following commits > IPA: Only generate kdcinfo files on clients > https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 Do you have the /etc/krb5.conf available from the host where the test failed. The above patch was written with the assumption that /etc/krb5.conf on the IPA server points to the server itself as ipa-server-install creates it: [realms] IPA.DEVEL = { kdc = ipa-devel.ipa.devel:88 master_kdc = ipa-devel.ipa.devel:88 admin_server = ipa-devel.ipa.devel:749 default_domain = ipa.devel pkinit_anchors = FILE:/etc/ipa/ca.crt } Currently I would assume that at least admin_server is missing. > localauth plugin: change return code of sss_an2ln > https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e I'm a bit surprised here because it is not clear to me where during the test an2ln is used. But if it is the case it might point to an issue at a different place because the old return code was wrong according to the documentation of the plugin. bye, Sumit > > > It is enough to revert just one of these patches and situation is back stable > > BTW failure is not 100% reliable but it happens quite often 40-60% of cases. > And I think kinit on IPA server should always talk to local KDC unless > it is down. > > > Attaching two logs with KRB5TRACE + SSSD_KRB5_LOCATOR_DEBUG > > LS > -- > Added user "selfservuser1" > -- > User login: selfservuser1 > First name: first > Last name: last > Full name: first last > Display name: first last > Initials: fl > Home directory: /home/selfservuser1 > GECOS: first last > Login shell: /bin/sh > Principal name: selfservus...@testrelm.test > Principal alias: selfservus...@testrelm.test > Email address: selfservus...@testrelm.test > UID: 1739200021 > GID: 1739200021 > Password: True > Member of groups: ipausers > Kerberos keys available: True > :: [ PASS ] :: add test user account (Expected 0, got 0) > :: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com > passw0rd1' > [2008] 1504979429.356684: Destroying ccache KEYRING:persistent:0:0 > Using default cache: persistent:0:0 > Using principal: selfservus...@testrelm.test > [2010] 1504979429.362816: Getting initial credentials for > selfservus...@testrelm.test > [2010] 1504979429.364886: Sending request (183 bytes) to TESTRELM.TEST > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [10.19.41.54] in > [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST]. > [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] > family[0] socktype[2] locate_service[1] > [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2] > [sssd_krb5_locator] [10.19.41.54] used > [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] > family[0] socktype[1] locate_service[1] > [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1] > [sssd_krb5_locator] [10.19.41.54] used > [sssd_krb5_locator] sssd_krb5_locator_close called > [2010] 1504979429.365050: Initiating TCP connection to stream 10.19.41.54:88 > [2010] 1504979429.365114: Sending TCP request to stream 10.19.41.54:88 > [2010] 1504979429.366775: Received answer (186 bytes) from stream > 10.19.41.54:88 > [2010] 1504979429.366783: Terminating TCP connection to stream 10.19.41.54:88 > [sssd_krb5_locator] sssd_krb5_locator_init called > [sssd_krb5_locator] Found [10.19.41.54] in > [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST]. > [sssd_krb5_locator] open failed > [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or > directory]. > [sssd_krb5_locator] reading kpasswd address failed, using kdc address. > [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] > family[0] socktype[1] locate_service[2] > [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1] > [sssd_krb5_locator] [10.19.41.54] used > [sssd_krb5_locator]