On (21/09/17 13:22), Jakub Hrozek wrote: >On Thu, Sep 21, 2017 at 01:15:00PM +0200, Lukas Slebodnik wrote: >> On (12/09/17 15:45), Lukas Slebodnik wrote: >> >ehlo, >> > >> >I realized that it might be better to discuss it here rather then in >> >pull requests because it seems to be related to two different commits. >> > >> >I will describe a test case on master with already created replica on >> >another >> >host. >> >* kinit as admin >> > // create user with dummy password >> >* echo $dummypw | ipa user-add $login --first "$firstname" --last >> >"$lastname" \ >> > --password >> > >> > // adding sleep think that first kinit hits slave sometimes and the >> > user is >> > // not replicated yet. >> >* sleep 2 >> >* FirstKinitAs $login $dummypw $password >> > >> >FirstKinitAs is a bash function which change initial password >> >something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> >$username >> > >> >Such test works reliably with 1.15.3 and kinit always talk to local master >> >(I didn't try to remove sleep 2) >> > >> > >> >But situation changed a little bit with git master due to following commits >> >IPA: Only generate kdcinfo files on clients >> >https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 >> >> Jakub, >> Could you explain what was the purpose of the patch? > >Protect against generating kdcinfo files that contain a different >address than the IPA master we are running at. The bug itself is just >additional protection from sssd messing up a valid krb5.conf >configuration. > >> Because I do not think that patch fix anything. >> >> If there were some issues with generated kdcinfo files on ipa replicas >> then I assume it is a bug in replica promotion which left _srv_ in >> ipa_server > >Yes, but even if that bug is fixed, it is pointless to generate the >files, because the only address that will ever make sense is the IPA >server. And it should be already defined in krb5.conf. > >> >> https://pagure.io/freeipa/issue/7127 >> https://github.com/freeipa/freeipa/pull/1005 >> >> Because my experience is that after reverting patch >> a309525cc47da726461aec1f238165c17aade2a6 sssd generate kdcinfo >> just for local kdc server and sssd_krb5_locator_plugin.so will >> use it and do not allow krb5 libs to try srv discovery. > >Yes, but you don't want to allow SRV discovery on the masters. Only on >clients. But I thought krb5.conf should also contain only the local >master..does the config file in the issue you saw contain something >else? > >I mean, if we revert the patch and krb5.conf contains no records or multiple >records, then I think the libkrb5 configuration is broken and we are relying >on sssd injecting a valid value into an otherwise invalid krb5 configuration. >
I'm waiting for machine to see content of krb5.conf and then I'll check Sumit's assumption. LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org