ehlo,
I realized that it might be better to discuss it here rather then in
pull requests because it seems to be related to two different commits.
I will describe a test case on master with already created replica on another
host.
* kinit as admin
// create user with dummy password
* echo $dummypw | ipa user-add $login --first "$firstname" --last "$lastname" \
--password
// adding sleep think that first kinit hits slave sometimes and the user is
// not replicated yet.
* sleep 2
* FirstKinitAs $login $dummypw $password
FirstKinitAs is a bash function which change initial password
something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
$username
Such test works reliably with 1.15.3 and kinit always talk to local master
(I didn't try to remove sleep 2)
But situation changed a little bit with git master due to following commits
IPA: Only generate kdcinfo files on clients
https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
localauth plugin: change return code of sss_an2ln
https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e
It is enough to revert just one of these patches and situation is back stable
BTW failure is not 100% reliable but it happens quite often 40-60% of cases.
And I think kinit on IPA server should always talk to local KDC unless
it is down.
Attaching two logs with KRB5TRACE + SSSD_KRB5_LOCATOR_DEBUG
LS
--------------------------
Added user "selfservuser1"
--------------------------
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservus...@testrelm.test
Principal alias: selfservus...@testrelm.test
Email address: selfservus...@testrelm.test
UID: 1739200021
GID: 1739200021
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1'
[2008] 1504979429.356684: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservus...@testrelm.test
[2010] 1504979429.362816: Getting initial credentials for
selfservus...@testrelm.test
[2010] 1504979429.364886: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.365050: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.365114: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.366775: Received answer (186 bytes) from stream 10.19.41.54:88
[2010] 1504979429.366783: Terminating TCP connection to stream 10.19.41.54:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.366833: Response was from master KDC
[2010] 1504979429.366849: Received error from KDC: -1765328361/Password has
expired
[2010] 1504979429.366866: Principal expired; getting changepw ticket
[2010] 1504979429.366871: Getting initial credentials for
selfservus...@testrelm.test
[2010] 1504979429.366885: Setting initial creds service to kadmin/changepw
[2010] 1504979429.366901: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.366951: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.366980: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.369031: Received answer (308 bytes) from stream 10.19.41.54:88
[2010] 1504979429.369038: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.369064: Received error from KDC: -1765328359/Additional
pre-authentication required
[2010] 1504979429.369083: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[2010] 1504979429.369094: Selected etype info: etype aes256-cts, salt
"g3,cY9a!,]I#?!mP", params ""
[2010] 1504979429.369096: Received cookie: MIT
[2010] 1504979429.369111: PKINIT client has no configured identity; giving up
[2010] 1504979429.369123: Preauth module pkinit (147) (info) returned: 0/Success
[2010] 1504979429.369130: PKINIT client has no configured identity; giving up
[2010] 1504979429.369134: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[2010] 1504979429.369139: PKINIT client has no configured identity; giving up
[2010] 1504979429.369143: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2010] 1504979429.369148: PKINIT client has no configured identity; giving up
[2010] 1504979429.369157: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for selfservus...@testrelm.test:
[2010] 1504979429.377997: AS key obtained for encrypted timestamp:
aes256-cts/15DF
[2010] 1504979429.378038: Encrypted timestamp (for 1504979429.377885): plain
301AA011180F32303137303930393137353032395AA105020305C41D, encrypted
724A100FDF786F4B706BEF70A1017CABF3825B16F5111CE381D1C02ECFAF081A75CB0E1B0140709720FE77E1C124344DDFF788DDA1DBBD0D
[2010] 1504979429.378048: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[2010] 1504979429.378051: Produced preauth for next request: 133, 2
[2010] 1504979429.378060: Sending request (273 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.378117: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.378151: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.380629: Received answer (744 bytes) from stream 10.19.41.54:88
[2010] 1504979429.380650: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.380684: Processing preauth types: 19
[2010] 1504979429.380690: Selected etype info: etype aes256-cts, salt
"g3,cY9a!,]I#?!mP", params ""
[2010] 1504979429.380693: Produced preauth for next request: (empty)
[2010] 1504979429.380704: AS key determined by preauth: aes256-cts/15DF
[2010] 1504979429.380753: Decrypted AS reply; session key is: aes256-cts/0DC0
[2010] 1504979429.380766: FAST negotiation: available
[2010] 1504979429.380792: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[2010] 1504979429.380839: Creating authenticator for
selfservus...@testrelm.test -> kadmin/chang...@testrelm.test, seqnum 0, subkey
aes256-cts/25FC, session key aes256-cts/0DC0
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[5]
[sssd_krb5_locator] addr[10.19.41.54:464] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[5]
[sssd_krb5_locator] addr[10.19.41.54:464] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.380951: Sending initial UDP request to dgram 10.19.41.54:464
[2010] 1504979429.412096: Received answer (236 bytes) from dgram 10.19.41.54:464
[2010] 1504979429.412179: Read AP-REP, time 1504979429.380843, subkey
aes256-cts/25FC, seqnum 534540384
[2010] 1504979429.412213: Getting initial TGT with changed password
[2010] 1504979429.412220: Getting initial credentials for
selfservus...@testrelm.test
[2010] 1504979429.412279: Sending request (183 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.413245: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.413512: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.416335: Received answer (313 bytes) from stream 10.19.41.54:88
[2010] 1504979429.416343: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.416387: Received error from KDC: -1765328359/Additional
pre-authentication required
[2010] 1504979429.416421: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[2010] 1504979429.416426: Selected etype info: etype aes256-cts, salt
"Py@@RV$)_8syq{7@", params ""
[2010] 1504979429.416428: Received cookie: MIT
[2010] 1504979429.416445: PKINIT client has no configured identity; giving up
[2010] 1504979429.416458: Preauth module pkinit (147) (info) returned: 0/Success
[2010] 1504979429.416467: PKINIT client has no configured identity; giving up
[2010] 1504979429.416472: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[2010] 1504979429.416478: PKINIT client has no configured identity; giving up
[2010] 1504979429.416482: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2010] 1504979429.416487: PKINIT client has no configured identity; giving up
[2010] 1504979429.416491: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2010] 1504979429.424898: AS key obtained for encrypted timestamp:
aes256-cts/D927
[2010] 1504979429.424928: Encrypted timestamp (for 1504979429.424460): plain
301AA011180F32303137303930393137353032395AA1050203067A0C, encrypted
A06565BC61A85C400D1C6A392DEE704D8597EA81FCC3FF9CBCAE7FA7E65F9CB145DC92C2985DCA86280176D9B6F4AF3A0CD2F95C097A842D
[2010] 1504979429.424935: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[2010] 1504979429.424938: Produced preauth for next request: 133, 2
[2010] 1504979429.424946: Sending request (278 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST]
family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.424998: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.425026: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.430744: Received answer (755 bytes) from stream 10.19.41.54:88
[2010] 1504979429.430752: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.430796: Processing preauth types: 19
[2010] 1504979429.430803: Selected etype info: etype aes256-cts, salt
"Py@@RV$)_8syq{7@", params ""
[2010] 1504979429.430807: Produced preauth for next request: (empty)
[2010] 1504979429.430812: AS key determined by preauth: aes256-cts/D927
[2010] 1504979429.430840: Decrypted AS reply; session key is: aes256-cts/B4D9
[2010] 1504979429.430849: FAST negotiation: available
[2010] 1504979429.430871: Initializing KEYRING:persistent:0:0 with default
princ selfservus...@testrelm.test
[2010] 1504979429.430918: Storing selfservus...@testrelm.test ->
krbtgt/testrelm.t...@testrelm.test in KEYRING:persistent:0:0
[2010] 1504979429.430949: Storing config in KEYRING:persistent:0:0 for
krbtgt/testrelm.t...@testrelm.test: fast_avail: yes
[2010] 1504979429.430962: Storing selfservus...@testrelm.test ->
krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF:
in KEYRING:persistent:0:0
[2010] 1504979429.430988: Storing config in KEYRING:persistent:0:0 for
krbtgt/testrelm.t...@testrelm.test: pa_type: 2
[2010] 1504979429.430996: Storing selfservus...@testrelm.test ->
krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF:
in KEYRING:persistent:0:0
Authenticated to Kerberos v5
Default principal: selfservus...@testrelm.test
:: [ 13:50:29 ] :: kinit as selfservuser1 with new password passw0rd1 was
successful.
--------------------------
Added user "selfservuser1"
--------------------------
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservus...@testrelm.test
Principal alias: selfservus...@testrelm.test
Email address: selfservus...@testrelm.test
UID: 1033600021
GID: 1033600021
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1'
[2085] 1504880246.717409: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservus...@testrelm.test
[2087] 1504880246.723854: Getting initial credentials for
selfservus...@testrelm.test
[2087] 1504880246.725923: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.726052: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.726388: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.726467: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.728536: Received answer (186 bytes) from stream
10.16.68.129:88
[2087] 1504880246.728544: Terminating TCP connection to stream 10.16.68.129:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.728603: Response was from master KDC
[2087] 1504880246.728636: Received error from KDC: -1765328361/Password has
expired
[2087] 1504880246.728655: Principal expired; getting changepw ticket
[2087] 1504880246.728661: Getting initial credentials for
selfservus...@testrelm.test
[2087] 1504880246.728676: Setting initial creds service to kadmin/changepw
[2087] 1504880246.728693: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.728709: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.728780: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.728811: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.730875: Received answer (308 bytes) from stream
10.16.68.129:88
[2087] 1504880246.730882: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.730906: Received error from KDC: -1765328359/Additional
pre-authentication required
[2087] 1504880246.730925: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[2087] 1504880246.730936: Selected etype info: etype aes256-cts, salt
"IW9`+Bl+'dxuYHbk", params ""
[2087] 1504880246.730939: Received cookie: MIT
[2087] 1504880246.730952: PKINIT client has no configured identity; giving up
[2087] 1504880246.730965: Preauth module pkinit (147) (info) returned: 0/Success
[2087] 1504880246.730971: PKINIT client has no configured identity; giving up
[2087] 1504880246.730982: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[2087] 1504880246.730987: PKINIT client has no configured identity; giving up
[2087] 1504880246.730991: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[2087] 1504880246.730995: PKINIT client has no configured identity; giving up
[2087] 1504880246.730999: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for selfservus...@testrelm.test:
[2087] 1504880246.740078: AS key obtained for encrypted timestamp:
aes256-cts/499B
[2087] 1504880246.740125: Encrypted timestamp (for 1504880246.739952): plain
301AA011180F32303137303930383134313732365AA10502030B4A70, encrypted
B551CD21FE48C30DA246AB740E90048E2A38C4288EB6DEFD9D139937EFFACC074D1EDD786E1E201BB1690EF483BECD0EC98387E62DA2E274
[2087] 1504880246.740153: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[2087] 1504880246.740156: Produced preauth for next request: 133, 2
[2087] 1504880246.740169: Sending request (273 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.740201: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.740342: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.740393: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.743192: Received answer (744 bytes) from stream
10.16.68.129:88
[2087] 1504880246.743199: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.743233: Processing preauth types: 19
[2087] 1504880246.743240: Selected etype info: etype aes256-cts, salt
"IW9`+Bl+'dxuYHbk", params ""
[2087] 1504880246.743243: Produced preauth for next request: (empty)
[2087] 1504880246.743249: AS key determined by preauth: aes256-cts/499B
[2087] 1504880246.743285: Decrypted AS reply; session key is: aes256-cts/756D
[2087] 1504880246.743325: FAST negotiation: available
[2087] 1504880246.743360: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[2087] 1504880246.743415: Creating authenticator for
selfservus...@testrelm.test -> kadmin/chang...@testrelm.test, seqnum 0, subkey
aes256-cts/583E, session key aes256-cts/756D
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.743980: Resolving hostname ibm-x3650m4-01-vm-05.testrelm.test.
[2087] 1504880246.744368: Sending initial UDP request to dgram
2620:52:0:102f:5054:1ff:fe3c:e12d:464
[2087] 1504880246.813550: Received answer (248 bytes) from dgram
2620:52:0:102f:5054:1ff:fe3c:e12d:464
[2087] 1504880246.813683: Read AP-REP, time 1504880246.743419, subkey
aes256-cts/583E, seqnum 1071928275
[2087] 1504880246.813717: Getting initial TGT with changed password
[2087] 1504880246.813723: Getting initial credentials for
selfservus...@testrelm.test
[2087] 1504880246.813784: Sending request (183 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.813835: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.814002: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.814048: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.816774: Received answer (186 bytes) from stream
10.16.68.129:88
[2087] 1504880246.816781: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.816811: Received error from KDC: -1765328361/Password has
expired
kinit: Password has expired while getting initial credentials
klist: Credentials cache keyring 'persistent:0:0' not found
:: [ 10:17:26 ] :: ERROR: kinit as selfservuser1 with new password passw0rd1
failed.
:: [ FAIL ] :: Command 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1' (Expected 0, got 1)
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
