subject:"\[SSSD\] Re\: kinit on IPA server does not exclusively talk to local KDC"

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-10-03 Thread Sumit Bose

On Tue, Oct 03, 2017 at 05:16:24PM -0400, Robbie Harwood wrote:
> Sumit Bose  writes:
> 
> > On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote:
> >> On (12/09/17 18:44), Sumit Bose wrote:
> >>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>  ehlo,
>  
>  I realized that it might be better to discuss it here rather then in
>  pull requests because it seems to be related to two different commits.
>  
>  I will describe a test case on master with already created replica on 
>  another
>  host.
>  * kinit as admin
>  // create user with dummy password
>  * echo $dummypw | ipa user-add $login --first "$firstname" --last 
>  "$lastname" \
> --password
>  
>  // adding sleep think that first kinit hits slave sometimes and the 
>  user is
>  // not replicated yet.
>  * sleep 2
>  * FirstKinitAs $login $dummypw $password
>  
>  FirstKinitAs is a bash function which change initial password
>  something like: echo -e "$password\n$newpassword\n$newpassword" | kinit 
>  -V $username
>  
>  Such test works reliably with 1.15.3 and kinit always talk to local 
>  master
>  (I didn't try to remove sleep 2)
>  
>  
>  But situation changed a little bit with git master due to following 
>  commits
>  IPA: Only generate kdcinfo files on clients
>  https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
> >>>
> >>> Do you have the /etc/krb5.conf available from the host where the
> >>> test failed. The above patch was written with the assumption that
> >>> /etc/krb5.conf on the IPA server points to the server itself as
> >>> ipa-server-install creates it:
> >>>
> >>>[realms]
> >>> IPA.DEVEL = {
> >>>  kdc = ipa-devel.ipa.devel:88
> >>>  master_kdc = ipa-devel.ipa.devel:88
> >>>  admin_server = ipa-devel.ipa.devel:749
> >>>  default_domain = ipa.devel
> >>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
> >>>}
> >>>
> >>>Currently I would assume that at least admin_server is missing.
> >>>
> >> Here you are.
> >> local master: kvm-02-guest11.testrelm.test
> >> replica: bkr-hv01-guest19.testrelm.test
> >> 
> >> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> >> includedir /etc/krb5.conf.d/
> >> includedir /var/lib/sss/pubconf/krb5.include.d/
> >> 
> >> [logging]
> >>  default = FILE:/var/log/krb5libs.log
> >>  kdc = FILE:/var/log/krb5kdc.log
> >>  admin_server = FILE:/var/log/kadmind.log
> >> 
> >> [libdefaults]
> >>  default_realm = TESTRELM.TEST
> >>  dns_lookup_realm = false
> >>  dns_lookup_kdc = true
> >>  rdns = false
> >>  ticket_lifetime = 24h
> >>  forwardable = true
> >>  udp_preference_limit = 0
> >>  default_ccache_name = KEYRING:persistent:%{uid}
> >> 
> >> [realms]
> >>  TESTRELM.TEST = {
> >>   kdc = kvm-02-guest11.testrelm.test:88
> >>   master_kdc = kvm-02-guest11.testrelm.test:88
> >>   admin_server = kvm-02-guest11.testrelm.test:749
> >>   default_domain = testrelm.test
> >>   pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> >>   pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> >> }
> >
> > Thank you, so the krb5.conf has the expected entries. I did some testing
> > and found that libkrb5 does a DNS SRV lookup to find the kpasswd server
> > although the man page says:
> >
> > """
> >kpasswd_server
> >   Points to the server where all the password changes are
> > performed.  If there is no such entry, the port 464 on the admin_server
> > host will be tried.
> > """
> >
> > To me it looks like the advertised fallback to admin_server if there is
> > no kpasswd_server defined does not work.
> >
> > Robbie, is this expected or is it possible that there is an issue in
> > libkrb5?
> 
> It's possible there's an issue, but I'd need to look more.  Could you
> file a ticket so we can track it?

Thank you, I opened https://bugzilla.redhat.com/show_bug.cgi?id=1498347.

bye,
Sumit
> 
> Thanks,
> --Robbie

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-10-03 Thread Robbie Harwood

Sumit Bose  writes:

> On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote:
>> On (12/09/17 18:44), Sumit Bose wrote:
>>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
 ehlo,
 
 I realized that it might be better to discuss it here rather then in
 pull requests because it seems to be related to two different commits.
 
 I will describe a test case on master with already created replica on 
 another
 host.
 * kinit as admin
 // create user with dummy password
 * echo $dummypw | ipa user-add $login --first "$firstname" --last 
 "$lastname" \
--password
 
 // adding sleep think that first kinit hits slave sometimes and the 
 user is
 // not replicated yet.
 * sleep 2
 * FirstKinitAs $login $dummypw $password
 
 FirstKinitAs is a bash function which change initial password
 something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
 $username
 
 Such test works reliably with 1.15.3 and kinit always talk to local master
 (I didn't try to remove sleep 2)
 
 
 But situation changed a little bit with git master due to following commits
 IPA: Only generate kdcinfo files on clients
 https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>>>
>>> Do you have the /etc/krb5.conf available from the host where the
>>> test failed. The above patch was written with the assumption that
>>> /etc/krb5.conf on the IPA server points to the server itself as
>>> ipa-server-install creates it:
>>>
>>>[realms]
>>> IPA.DEVEL = {
>>>  kdc = ipa-devel.ipa.devel:88
>>>  master_kdc = ipa-devel.ipa.devel:88
>>>  admin_server = ipa-devel.ipa.devel:749
>>>  default_domain = ipa.devel
>>>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>}
>>>
>>>Currently I would assume that at least admin_server is missing.
>>>
>> Here you are.
>> local master: kvm-02-guest11.testrelm.test
>> replica: bkr-hv01-guest19.testrelm.test
>> 
>> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
>> includedir /etc/krb5.conf.d/
>> includedir /var/lib/sss/pubconf/krb5.include.d/
>> 
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>> 
>> [libdefaults]
>>  default_realm = TESTRELM.TEST
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = true
>>  rdns = false
>>  ticket_lifetime = 24h
>>  forwardable = true
>>  udp_preference_limit = 0
>>  default_ccache_name = KEYRING:persistent:%{uid}
>> 
>> [realms]
>>  TESTRELM.TEST = {
>>   kdc = kvm-02-guest11.testrelm.test:88
>>   master_kdc = kvm-02-guest11.testrelm.test:88
>>   admin_server = kvm-02-guest11.testrelm.test:749
>>   default_domain = testrelm.test
>>   pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>>   pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
>> }
>
> Thank you, so the krb5.conf has the expected entries. I did some testing
> and found that libkrb5 does a DNS SRV lookup to find the kpasswd server
> although the man page says:
>
> """
>kpasswd_server
>   Points to the server where all the password changes are
> performed.  If there is no such entry, the port 464 on the admin_server
> host will be tried.
> """
>
> To me it looks like the advertised fallback to admin_server if there is
> no kpasswd_server defined does not work.
>
> Robbie, is this expected or is it possible that there is an issue in
> libkrb5?

It's possible there's an issue, but I'd need to look more.  Could you
file a ticket so we can track it?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-22 Thread Sumit Bose

On Thu, Sep 21, 2017 at 01:07:23PM -0400, Simo Sorce wrote:
> On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote:
> > On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote:
> > > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> > > > Here you are.
> > > > local master: kvm-02-guest11.testrelm.test
> > > > replica: bkr-hv01-guest19.testrelm.test
> > > > 
> > > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> > > > includedir /etc/krb5.conf.d/
> > > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > > > 
> > > > [logging]
> > > >  default = FILE:/var/log/krb5libs.log
> > > >  kdc = FILE:/var/log/krb5kdc.log
> > > >  admin_server = FILE:/var/log/kadmind.log
> > > > 
> > > > [libdefaults]
> > > >  default_realm = TESTRELM.TEST
> > > >  dns_lookup_realm = false
> > > >  dns_lookup_kdc = true
> > > 
> > > This  sounds wrong on a master
> > 
> > no, you need this to find any AD DC in a trusted forest.
> 
> Shouldn't SSSD do that for us via proper site discovery ?

yes, this is planned to some extent but you still have a chicken-egg
problem during 'ipa trust-add'.

But see my other email, I think there might be an issue or at least
unexpected behavior with our usage of the admin_server option in
/etc/krb5.conf.

bye,
Sumit

> 
> Simo.
> 
> > bye,
> > Sumit
> > 
> > > 
> > > Simo.
> > > 
> > > -- 
> > > Simo Sorce
> > > Sr. Principal Software Engineer
> > > Red Hat, Inc
> > > 
> 
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Simo Sorce

On Thu, 2017-09-21 at 17:56 +0200, Sumit Bose wrote:
> On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote:
> > On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> > > Here you are.
> > > local master: kvm-02-guest11.testrelm.test
> > > replica: bkr-hv01-guest19.testrelm.test
> > > 
> > > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> > > includedir /etc/krb5.conf.d/
> > > includedir /var/lib/sss/pubconf/krb5.include.d/
> > > 
> > > [logging]
> > >  default = FILE:/var/log/krb5libs.log
> > >  kdc = FILE:/var/log/krb5kdc.log
> > >  admin_server = FILE:/var/log/kadmind.log
> > > 
> > > [libdefaults]
> > >  default_realm = TESTRELM.TEST
> > >  dns_lookup_realm = false
> > >  dns_lookup_kdc = true
> > 
> > This  sounds wrong on a master
> 
> no, you need this to find any AD DC in a trusted forest.

Shouldn't SSSD do that for us via proper site discovery ?

Simo.

> bye,
> Sumit
> 
> > 
> > Simo.
> > 
> > -- 
> > Simo Sorce
> > Sr. Principal Software Engineer
> > Red Hat, Inc
> > 

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Sumit Bose

On Thu, Sep 21, 2017 at 11:23:20AM -0400, Simo Sorce wrote:
> On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> > Here you are.
> > local master: kvm-02-guest11.testrelm.test
> > replica: bkr-hv01-guest19.testrelm.test
> > 
> > [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> > includedir /etc/krb5.conf.d/
> > includedir /var/lib/sss/pubconf/krb5.include.d/
> > 
> > [logging]
> >  default = FILE:/var/log/krb5libs.log
> >  kdc = FILE:/var/log/krb5kdc.log
> >  admin_server = FILE:/var/log/kadmind.log
> > 
> > [libdefaults]
> >  default_realm = TESTRELM.TEST
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = true
> 
> This  sounds wrong on a master

no, you need this to find any AD DC in a trusted forest.

bye,
Sumit

> 
> Simo.
> 
> -- 
> Simo Sorce
> Sr. Principal Software Engineer
> Red Hat, Inc
> 
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Sumit Bose

On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote:
> On (12/09/17 18:44), Sumit Bose wrote:
> >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
> >> ehlo,
> >> 
> >> I realized that it might be better to discuss it here rather then in
> >> pull requests because it seems to be related to two different commits.
> >> 
> >> I will describe a test case on master with already created replica on 
> >> another
> >> host.
> >> * kinit as admin
> >> // create user with dummy password
> >> * echo $dummypw | ipa user-add $login --first "$firstname" --last 
> >> "$lastname" \
> >>--password
> >> 
> >> // adding sleep think that first kinit hits slave sometimes and the 
> >> user is
> >> // not replicated yet.
> >> * sleep 2
> >> * FirstKinitAs $login $dummypw $password
> >> 
> >> FirstKinitAs is a bash function which change initial password
> >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
> >> $username
> >> 
> >> Such test works reliably with 1.15.3 and kinit always talk to local master
> >> (I didn't try to remove sleep 2)
> >> 
> >> 
> >> But situation changed a little bit with git master due to following commits
> >> IPA: Only generate kdcinfo files on clients
> >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
> >
> >Do you have the /etc/krb5.conf available from the host where the test
> >failed. The above patch was written with the assumption that
> >/etc/krb5.conf on the IPA server points to the server itself as
> >ipa-server-install creates it:
> >
> >[realms]
> > IPA.DEVEL = {
> >  kdc = ipa-devel.ipa.devel:88
> >  master_kdc = ipa-devel.ipa.devel:88
> >  admin_server = ipa-devel.ipa.devel:749
> >  default_domain = ipa.devel
> >  pkinit_anchors = FILE:/etc/ipa/ca.crt
> >}
> >
> >Currently I would assume that at least admin_server is missing.
> >
> Here you are.
> local master: kvm-02-guest11.testrelm.test
> replica: bkr-hv01-guest19.testrelm.test
> 
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = TESTRELM.TEST
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  rdns = false
>  ticket_lifetime = 24h
>  forwardable = true
>  udp_preference_limit = 0
>  default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>  TESTRELM.TEST = {
>   kdc = kvm-02-guest11.testrelm.test:88
>   master_kdc = kvm-02-guest11.testrelm.test:88
>   admin_server = kvm-02-guest11.testrelm.test:749
>   default_domain = testrelm.test
>   pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
>   pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }

Thank you, so the krb5.conf has the expected entries. I did some testing
and found that libkrb5 does a DNS SRV lookup to find the kpasswd server
although the man page says:

"""
   kpasswd_server
  Points to the server where all the password changes are
performed.  If there is no such entry, the port 464 on the admin_server
host will be tried.
"""

To me it looks like the advertised fallback to admin_server if there is
no kpasswd_server defined does not work.

Robbie, is this expected or is it possible that there is an issue in
libkrb5?

bye,
Sumit

> 
> [domain_realm]
>  .testrelm.test = TESTRELM.TEST
>  testrelm.test = TESTRELM.TEST
>  kvm-02-guest11.testrelm.test = TESTRELM.TEST
> 
> [dbmodules]
>   TESTRELM.TEST = {
> db_library = ipadb.so
>   }
> 
> 
> 
> [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
> ipa-certauth
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
> [plugins]
>  certauth = {
>   module = ipakdb:kdb/ipadb.so
>   enable_only = ipakdb
>  }
> 
> 
> 
> [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
> domain_realm_testrelm_test  krb5_libdefaults  localauth_plugin
> [root@kvm-02-guest11 ~]# cat 
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
> [domain_realm]
> [root@kvm-02-guest11 ~]# cat 
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
> [libdefaults]
>  canonicalize = true
> [root@kvm-02-guest11 ~]# cat 
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> [plugins]
>  localauth = {
>   module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
>  }
> 
> 
> 
> 
> 
> 
> -
> Added user "delegatuser2"
> -
>   User login: delegatuser2
>   First name: first
>   Last name: last
>   Full name: first last
>   Display name: first last
>   Initials: fl
>   Home directory: /home/delegatuser2
>   GECOS: first last
>   Login shell: /bin/sh
>   Principal name: delegatus...@testrelm.test
>   Principal alias: delegatus...@testrelm.test
>   Email address: delegatus...@testrelm.test
>   UID: 1622800023
>   GID: 1622800023
>   Password: True
>   Member of groups:

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Simo Sorce

On Thu, 2017-09-21 at 16:52 +0200, Lukas Slebodnik wrote:
> Here you are.
> local master: kvm-02-guest11.testrelm.test
> replica: bkr-hv01-guest19.testrelm.test
> 
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = TESTRELM.TEST
>  dns_lookup_realm = false
>  dns_lookup_kdc = true

This  sounds wrong on a master

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Lukas Slebodnik

On (21/09/17 13:33), Jakub Hrozek wrote:
>On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote:
>> On (21/09/17 13:22), Jakub Hrozek wrote:
>> >clients. But I thought krb5.conf should also contain only the local
>> >master..does the config file in the issue you saw contain something
>> >else?
>> >
>> >I mean, if we revert the patch and krb5.conf contains no records or multiple
>> >records, then I think the libkrb5 configuration is broken and we are relying
>> >on sssd injecting a valid value into an otherwise invalid krb5 
>> >configuration.
>> >
>> 
>> I'm waiting for machine to see content of krb5.conf and then I'll check
>> Sumit's assumption.
>
>I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC
>libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and
>the kdcinfo file would contain a v4 address.
>
>But then I guess reverting the patch and injecting the kdcinfo file
>would help..
If it's a bug in krb5-libs then we should fix it (because it can cause
intermittent failures in other tests);
* reverting the patch might be a temporary workaround.

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Lukas Slebodnik

On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>> 
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>> 
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last 
>> "$lastname" \
>>--password
>> 
>> // adding sleep think that first kinit hits slave sometimes and the user 
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>> 
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
>> $username
>> 
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>> 
>> 
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
>  kdc = ipa-devel.ipa.devel:88
>  master_kdc = ipa-devel.ipa.devel:88
>  admin_server = ipa-devel.ipa.devel:749
>  default_domain = ipa.devel
>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
Here you are.
local master: kvm-02-guest11.testrelm.test
replica: bkr-hv01-guest19.testrelm.test

[root@kvm-02-guest11 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TESTRELM.TEST
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 TESTRELM.TEST = {
  kdc = kvm-02-guest11.testrelm.test:88
  master_kdc = kvm-02-guest11.testrelm.test:88
  admin_server = kvm-02-guest11.testrelm.test:749
  default_domain = testrelm.test
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .testrelm.test = TESTRELM.TEST
 testrelm.test = TESTRELM.TEST
 kvm-02-guest11.testrelm.test = TESTRELM.TEST

[dbmodules]
  TESTRELM.TEST = {
db_library = ipadb.so
  }



[root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
ipa-certauth
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
[plugins]
 certauth = {
  module = ipakdb:kdb/ipadb.so
  enable_only = ipakdb
 }



[root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
domain_realm_testrelm_test  krb5_libdefaults  localauth_plugin
[root@kvm-02-guest11 ~]# cat 
/var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
[domain_realm]
[root@kvm-02-guest11 ~]# cat 
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
[libdefaults]
 canonicalize = true
[root@kvm-02-guest11 ~]# cat 
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
 }






-
Added user "delegatuser2"
-
  User login: delegatuser2
  First name: first
  Last name: last
  Full name: first last
  Display name: first last
  Initials: fl
  Home directory: /home/delegatuser2
  GECOS: first last
  Login shell: /bin/sh
  Principal name: delegatus...@testrelm.test
  Principal alias: delegatus...@testrelm.test
  Email address: delegatus...@testrelm.test
  UID: 1622800023
  GID: 1622800023
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
:: [   PASS   ] :: add test user account (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com 
passw0rd1'
[3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: delegatus...@testrelm.test
[3192] 1505997473.161781: Getting initial credentials for 
delegatus...@testrelm.test
[3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed 
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.164235: Sending TCP request

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Jakub Hrozek

On Thu, Sep 21, 2017 at 01:30:17PM +0200, Lukas Slebodnik wrote:
> On (21/09/17 13:22), Jakub Hrozek wrote:
> >clients. But I thought krb5.conf should also contain only the local
> >master..does the config file in the issue you saw contain something
> >else?
> >
> >I mean, if we revert the patch and krb5.conf contains no records or multiple
> >records, then I think the libkrb5 configuration is broken and we are relying
> >on sssd injecting a valid value into an otherwise invalid krb5 configuration.
> >
> 
> I'm waiting for machine to see content of krb5.conf and then I'll check
> Sumit's assumption.

I also wonder if the bug might be in IPv4/IPv6 resolution. Because IIRC
libc prefers IPv6 addresses during resulution, but SSSD prefers IPv4 and
the kdcinfo file would contain a v4 address.

But then I guess reverting the patch and injecting the kdcinfo file
would help..
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Lukas Slebodnik

On (21/09/17 13:22), Jakub Hrozek wrote:
>On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote:
>> On (12/09/17 15:45), Lukas Slebodnik wrote:
>> >ehlo,
>> >
>> >I realized that it might be better to discuss it here rather then in
>> >pull requests because it seems to be related to two different commits.
>> >
>> >I will describe a test case on master with already created replica on 
>> >another
>> >host.
>> >* kinit as admin
>> >// create user with dummy password
>> >* echo $dummypw | ipa user-add $login --first "$firstname" --last 
>> >"$lastname" \
>> >   --password
>> >
>> >// adding sleep think that first kinit hits slave sometimes and the 
>> > user is
>> >// not replicated yet.
>> >* sleep 2
>> >* FirstKinitAs $login $dummypw $password
>> >
>> >FirstKinitAs is a bash function which change initial password
>> >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
>> >$username
>> >
>> >Such test works reliably with 1.15.3 and kinit always talk to local master
>> >(I didn't try to remove sleep 2)
>> >
>> >
>> >But situation changed a little bit with git master due to following commits
>> >IPA: Only generate kdcinfo files on clients
>> >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>> 
>> Jakub,
>> Could you explain what was the purpose of the patch?
>
>Protect against generating kdcinfo files that contain a different
>address than the IPA master we are running at. The bug itself is just
>additional protection from sssd messing up a valid krb5.conf
>configuration.
>
>> Because I do not think that patch fix anything.
>> 
>> If there were some issues with generated kdcinfo files on ipa replicas
>> then I assume it is a bug in replica promotion which left _srv_ in
>> ipa_server
>
>Yes, but even if that bug is fixed, it is pointless to generate the
>files, because the only address that will ever make sense is the IPA
>server. And it should be already defined in krb5.conf.
>
>> 
>> https://pagure.io/freeipa/issue/7127
>> https://github.com/freeipa/freeipa/pull/1005
>> 
>> Because my experience is that after reverting patch
>> a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo
>> just for local kdc server and sssd_krb5_locator_plugin.so will
>> use it and do not allow krb5 libs to try srv discovery.
>
>Yes, but you don't want to allow SRV discovery on the masters. Only on
>clients. But I thought krb5.conf should also contain only the local
>master..does the config file in the issue you saw contain something
>else?
>
>I mean, if we revert the patch and krb5.conf contains no records or multiple
>records, then I think the libkrb5 configuration is broken and we are relying
>on sssd injecting a valid value into an otherwise invalid krb5 configuration.
>

I'm waiting for machine to see content of krb5.conf and then I'll check
Sumit's assumption.

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Jakub Hrozek

On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote:
> On (12/09/17 15:45), Lukas Slebodnik wrote:
> >ehlo,
> >
> >I realized that it might be better to discuss it here rather then in
> >pull requests because it seems to be related to two different commits.
> >
> >I will describe a test case on master with already created replica on another
> >host.
> >* kinit as admin
> >// create user with dummy password
> >* echo $dummypw | ipa user-add $login --first "$firstname" --last 
> >"$lastname" \
> >   --password
> >
> >// adding sleep think that first kinit hits slave sometimes and the user 
> > is
> >// not replicated yet.
> >* sleep 2
> >* FirstKinitAs $login $dummypw $password
> >
> >FirstKinitAs is a bash function which change initial password
> >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
> >$username
> >
> >Such test works reliably with 1.15.3 and kinit always talk to local master
> >(I didn't try to remove sleep 2)
> >
> >
> >But situation changed a little bit with git master due to following commits
> >IPA: Only generate kdcinfo files on clients
> >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
> 
> Jakub,
> Could you explain what was the purpose of the patch?

Protect against generating kdcinfo files that contain a different
address than the IPA master we are running at. The bug itself is just
additional protection from sssd messing up a valid krb5.conf
configuration.

> Because I do not think that patch fix anything.
> 
> If there were some issues with generated kdcinfo files on ipa replicas
> then I assume it is a bug in replica promotion which left _srv_ in
> ipa_server

Yes, but even if that bug is fixed, it is pointless to generate the
files, because the only address that will ever make sense is the IPA
server. And it should be already defined in krb5.conf.

> 
> https://pagure.io/freeipa/issue/7127
> https://github.com/freeipa/freeipa/pull/1005
> 
> Because my experience is that after reverting patch
> a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo
> just for local kdc server and sssd_krb5_locator_plugin.so will
> use it and do not allow krb5 libs to try srv discovery.

Yes, but you don't want to allow SRV discovery on the masters. Only on
clients. But I thought krb5.conf should also contain only the local
master..does the config file in the issue you saw contain something
else?

I mean, if we revert the patch and krb5.conf contains no records or multiple
records, then I think the libkrb5 configuration is broken and we are relying
on sssd injecting a valid value into an otherwise invalid krb5 configuration.

> 
> I might be wrong or I could miss something and there might be
> something else fishy in ipa*-install.
> 
> LS
> ___
> sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
> To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Lukas Slebodnik

On (12/09/17 15:45), Lukas Slebodnik wrote:
>ehlo,
>
>I realized that it might be better to discuss it here rather then in
>pull requests because it seems to be related to two different commits.
>
>I will describe a test case on master with already created replica on another
>host.
>* kinit as admin
>// create user with dummy password
>* echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" \
>   --password
>
>// adding sleep think that first kinit hits slave sometimes and the user is
>// not replicated yet.
>* sleep 2
>* FirstKinitAs $login $dummypw $password
>
>FirstKinitAs is a bash function which change initial password
>something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
>$username
>
>Such test works reliably with 1.15.3 and kinit always talk to local master
>(I didn't try to remove sleep 2)
>
>
>But situation changed a little bit with git master due to following commits
>IPA: Only generate kdcinfo files on clients
>https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6

Jakub,
Could you explain what was the purpose of the patch?
Because I do not think that patch fix anything.

If there were some issues with generated kdcinfo files on ipa replicas
then I assume it is a bug in replica promotion which left _srv_ in
ipa_server

https://pagure.io/freeipa/issue/7127
https://github.com/freeipa/freeipa/pull/1005

Because my experience is that after reverting patch
a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo
just for local kdc server and sssd_krb5_locator_plugin.so will
use it and do not allow krb5 libs to try srv discovery.

I might be wrong or I could miss something and there might be
something else fishy in ipa*-install.

LS
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-21 Thread Lukas Slebodnik

On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>> 
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>> 
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last 
>> "$lastname" \
>>--password
>> 
>> // adding sleep think that first kinit hits slave sometimes and the user 
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>> 
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
>> $username
>> 
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>> 
>> 
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
>  kdc = ipa-devel.ipa.devel:88
>  master_kdc = ipa-devel.ipa.devel:88
>  admin_server = ipa-devel.ipa.devel:749
>  default_domain = ipa.devel
>  pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
>> localauth plugin: change return code of sss_an2ln
>> https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e
>
>I'm a bit surprised here because it is not clear to me where during the
>test an2ln is used. But if it is the case it might point to an issue at
>a different place because the old return code was wrong according to the
>documentation of the plugin.
>
I probably mixed versions of packages when I ran test. Because reverting
patch for krb5_localauth plugin did not help and it still fails

--
Added user "selfservuser1"
--
  User login: selfservuser1
  First name: first
  Last name: last
  Full name: first last
  Display name: first last
  Initials: fl
  Home directory: /home/selfservuser1
  GECOS: first last
  Login shell: /bin/sh
  Principal name: selfservus...@testrelm.test
  Principal alias: selfservus...@testrelm.test
  Email address: selfservus...@testrelm.test
  UID: 71621
  GID: 71621
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
:: [   PASS   ] :: add test user account (Expected 0, got 0)
:: [  BEGIN   ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com 
passw0rd1'
[1836] 1505231102.633534: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservus...@testrelm.test
[1838] 1505231102.639333: Getting initial credentials for 
selfservus...@testrelm.test
[1838] 1505231102.641609: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed 
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.641757: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.642102: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.642170: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.644813: Received answer (186 bytes) from stream 10.19.41.68:88
[1838] 1505231102.644822: Terminating TCP connection to stream 10.19.41.68:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed 
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644878: Response was from master KDC
[1838] 1505231102.644897: Received error from KDC: -1765328361/Password has 
expired
[1838] 1505231102.644915: Principal expired; getting changepw ticket
[1838] 1505231102.644921: Getting initial credentials for 
selfservus...@testrelm.test
[1838] 1505231102.644936: Setting initial creds service to kadmin/changepw
[1838] 1505231102.644954: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed 
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644973: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.645055: Initiating TCP connection to stream 10.19.41.68:88
[1838]

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

2017-09-12 Thread Sumit Bose

On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
> ehlo,
> 
> I realized that it might be better to discuss it here rather then in
> pull requests because it seems to be related to two different commits.
> 
> I will describe a test case on master with already created replica on another
> host.
> * kinit as admin
> // create user with dummy password
> * echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" 
> \
>--password
> 
> // adding sleep think that first kinit hits slave sometimes and the user 
> is
> // not replicated yet.
> * sleep 2
> * FirstKinitAs $login $dummypw $password
> 
> FirstKinitAs is a bash function which change initial password
> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V 
> $username
> 
> Such test works reliably with 1.15.3 and kinit always talk to local master
> (I didn't try to remove sleep 2)
> 
> 
> But situation changed a little bit with git master due to following commits
> IPA: Only generate kdcinfo files on clients
> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6

Do you have the /etc/krb5.conf available from the host where the test
failed. The above patch was written with the assumption that
/etc/krb5.conf on the IPA server points to the server itself as
ipa-server-install creates it:

[realms]
 IPA.DEVEL = {
  kdc = ipa-devel.ipa.devel:88
  master_kdc = ipa-devel.ipa.devel:88
  admin_server = ipa-devel.ipa.devel:749
  default_domain = ipa.devel
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

Currently I would assume that at least admin_server is missing.

> localauth plugin: change return code of sss_an2ln
> https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e

I'm a bit surprised here because it is not clear to me where during the
test an2ln is used. But if it is the case it might point to an issue at
a different place because the old return code was wrong according to the
documentation of the plugin.

bye,
Sumit

> 
> 
> It is enough to revert just one of these patches and situation is back stable
> 
> BTW failure is not 100% reliable but it happens quite often 40-60% of cases.
> And I think kinit on IPA server should always talk to local KDC unless
> it is down.
> 
> 
> Attaching two logs with KRB5TRACE + SSSD_KRB5_LOCATOR_DEBUG
> 
> LS

> --
> Added user "selfservuser1"
> --
>   User login: selfservuser1
>   First name: first
>   Last name: last
>   Full name: first last
>   Display name: first last
>   Initials: fl
>   Home directory: /home/selfservuser1
>   GECOS: first last
>   Login shell: /bin/sh
>   Principal name: selfservus...@testrelm.test
>   Principal alias: selfservus...@testrelm.test
>   Email address: selfservus...@testrelm.test
>   UID: 1739200021
>   GID: 1739200021
>   Password: True
>   Member of groups: ipausers
>   Kerberos keys available: True
> :: [   PASS   ] :: add test user account (Expected 0, got 0)
> :: [  BEGIN   ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com 
> passw0rd1'
> [2008] 1504979429.356684: Destroying ccache KEYRING:persistent:0:0
> Using default cache: persistent:0:0
> Using principal: selfservus...@testrelm.test
> [2010] 1504979429.362816: Getting initial credentials for 
> selfservus...@testrelm.test
> [2010] 1504979429.364886: Sending request (183 bytes) to TESTRELM.TEST
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] Found [10.19.41.54] in 
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
> [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] 
> family[0] socktype[2] locate_service[1]
> [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
> [sssd_krb5_locator] [10.19.41.54] used
> [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] 
> family[0] socktype[1] locate_service[1]
> [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
> [sssd_krb5_locator] [10.19.41.54] used
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [2010] 1504979429.365050: Initiating TCP connection to stream 10.19.41.54:88
> [2010] 1504979429.365114: Sending TCP request to stream 10.19.41.54:88
> [2010] 1504979429.366775: Received answer (186 bytes) from stream 
> 10.19.41.54:88
> [2010] 1504979429.366783: Terminating TCP connection to stream 10.19.41.54:88
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] Found [10.19.41.54] in 
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
> [sssd_krb5_locator] open failed 
> [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or 
> directory].
> [sssd_krb5_locator] reading kpasswd address failed, using kdc address.
> [sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] 
> family[0] socktype[1] locate_service[2]
> [sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
> [sssd_krb5_locator] [10.19.41.54] used
> [sssd_krb5_locator]

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

[SSSD] Re: kinit on IPA server does not exclusively talk to local KDC

15 matches

Site Navigation

Mail list logo

Footer information