On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: > On (12/09/17 15:45), Lukas Slebodnik wrote: > >ehlo, > > > >I realized that it might be better to discuss it here rather then in > >pull requests because it seems to be related to two different commits. > > > >I will describe a test case on master with already created replica on another > >host. > >* kinit as admin > > // create user with dummy password > >* echo $dummypw | ipa user-add $login --first "$firstname" --last > >"$lastname" \ > > --password > > > > // adding sleep think that first kinit hits slave sometimes and the user > > is > > // not replicated yet. > >* sleep 2 > >* FirstKinitAs $login $dummypw $password > > > >FirstKinitAs is a bash function which change initial password > >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V > >$username > > > >Such test works reliably with 1.15.3 and kinit always talk to local master > >(I didn't try to remove sleep 2) > > > > > >But situation changed a little bit with git master due to following commits > >IPA: Only generate kdcinfo files on clients > >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > > Jakub, > Could you explain what was the purpose of the patch?
Protect against generating kdcinfo files that contain a different address than the IPA master we are running at. The bug itself is just additional protection from sssd messing up a valid krb5.conf configuration. > Because I do not think that patch fix anything. > > If there were some issues with generated kdcinfo files on ipa replicas > then I assume it is a bug in replica promotion which left _srv_ in > ipa_server Yes, but even if that bug is fixed, it is pointless to generate the files, because the only address that will ever make sense is the IPA server. And it should be already defined in krb5.conf. > > https://pagure.io/freeipa/issue/7127 > https://github.com/freeipa/freeipa/pull/1005 > > Because my experience is that after reverting patch > a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo > just for local kdc server and sssd_krb5_locator_plugin.so will > use it and do not allow krb5 libs to try srv discovery. Yes, but you don't want to allow SRV discovery on the masters. Only on clients. But I thought krb5.conf should also contain only the local master..does the config file in the issue you saw contain something else? I mean, if we revert the patch and krb5.conf contains no records or multiple records, then I think the libkrb5 configuration is broken and we are relying on sssd injecting a valid value into an otherwise invalid krb5 configuration. > > I might be wrong or I could miss something and there might be > something else fishy in ipa*-install. > > LS > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
