On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>>
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>>
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last
>> "$lastname" \
>> --password
>>
>> // adding sleep think that first kinit hits slave sometimes and the user
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>>
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
>> $username
>>
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>>
>>
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
> kdc = ipa-devel.ipa.devel:88
> master_kdc = ipa-devel.ipa.devel:88
> admin_server = ipa-devel.ipa.devel:749
> default_domain = ipa.devel
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
Here you are.
local master: kvm-02-guest11.testrelm.test
replica: bkr-hv01-guest19.testrelm.test
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTRELM.TEST
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
TESTRELM.TEST = {
kdc = kvm-02-guest11.testrelm.test:88
master_kdc = kvm-02-guest11.testrelm.test:88
admin_server = kvm-02-guest11.testrelm.test:749
default_domain = testrelm.test
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.testrelm.test = TESTRELM.TEST
testrelm.test = TESTRELM.TEST
kvm-02-guest11.testrelm.test = TESTRELM.TEST
[dbmodules]
TESTRELM.TEST = {
db_library = ipadb.so
}
[root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
ipa-certauth
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
[plugins]
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
[root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
domain_realm_testrelm_test krb5_libdefaults localauth_plugin
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
[domain_realm]
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
[libdefaults]
canonicalize = true
[root@kvm-02-guest11 ~]# cat
/var/lib/sss/pubconf/krb5.include.d/localauth_plugin
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
-------------------------
Added user "delegatuser2"
-------------------------
User login: delegatuser2
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/delegatuser2
GECOS: first last
Login shell: /bin/sh
Principal name: delegatus...@testrelm.test
Principal alias: delegatus...@testrelm.test
Email address: delegatus...@testrelm.test
UID: 1622800023
GID: 1622800023
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com
passw0rd1'
[3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: delegatus...@testrelm.test
[3192] 1505997473.161781: Getting initial credentials for
delegatus...@testrelm.test
[3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.164235: Sending TCP request to stream 10.16.68.117:88
[3192] 1505997473.165916: Received answer (185 bytes) from stream
10.16.68.117:88
[3192] 1505997473.165924: Terminating TCP connection to stream 10.16.68.117:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.165968: Response was from master KDC
[3192] 1505997473.166001: Received error from KDC: -1765328361/Password has
expired
[3192] 1505997473.166019: Principal expired; getting changepw ticket
[3192] 1505997473.166025: Getting initial credentials for
delegatus...@testrelm.test
[3192] 1505997473.166040: Setting initial creds service to kadmin/changepw
[3192] 1505997473.166057: Sending request (177 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.166074: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.166175: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.166212: Sending TCP request to stream 10.16.68.117:88
[3192] 1505997473.167923: Received answer (307 bytes) from stream
10.16.68.117:88
[3192] 1505997473.167930: Terminating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.167956: Received error from KDC: -1765328359/Additional
pre-authentication required
[3192] 1505997473.167975: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[3192] 1505997473.167986: Selected etype info: etype aes256-cts, salt
"k^pE1RcGTiTV+B^z", params ""
[3192] 1505997473.167989: Received cookie: MIT
[3192] 1505997473.168002: PKINIT client has no configured identity; giving up
[3192] 1505997473.168014: Preauth module pkinit (147) (info) returned: 0/Success
[3192] 1505997473.168020: PKINIT client has no configured identity; giving up
[3192] 1505997473.168032: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[3192] 1505997473.168037: PKINIT client has no configured identity; giving up
[3192] 1505997473.168041: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[3192] 1505997473.168046: PKINIT client has no configured identity; giving up
[3192] 1505997473.168049: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for delegatus...@testrelm.test:
[3192] 1505997473.178371: AS key obtained for encrypted timestamp:
aes256-cts/B60B
[3192] 1505997473.178425: Encrypted timestamp (for 1505997473.178262): plain
301AA011180F32303137303932313132333735335AA105020302B856, encrypted
75BDE01CE518AA302EF19F306BFD673D9826B688CDC279D0612EBAC58F427D18B83396D82D26401BF17C982B422B2C990B8E50B96760B4FA
[3192] 1505997473.178455: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[3192] 1505997473.178459: Produced preauth for next request: 133, 2
[3192] 1505997473.178472: Sending request (272 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.178503: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.178645: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.178728: Sending TCP request to stream 10.16.68.117:88
[3192] 1505997473.181321: Received answer (742 bytes) from stream
10.16.68.117:88
[3192] 1505997473.181330: Terminating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.181369: Processing preauth types: 19
[3192] 1505997473.181376: Selected etype info: etype aes256-cts, salt
"k^pE1RcGTiTV+B^z", params ""
[3192] 1505997473.181380: Produced preauth for next request: (empty)
[3192] 1505997473.181386: AS key determined by preauth: aes256-cts/B60B
[3192] 1505997473.181426: Decrypted AS reply; session key is: aes256-cts/0A8F
[3192] 1505997473.181440: FAST negotiation: available
[3192] 1505997473.181489: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[3192] 1505997473.181542: Creating authenticator for delegatus...@testrelm.test
-> kadmin/chang...@testrelm.test, seqnum 0, subkey aes256-cts/4B37, session key
aes256-cts/0A8F
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.182186: Resolving hostname bkr-hv01-guest19.testrelm.test.
[3192] 1505997473.182599: Sending initial UDP request to dgram
2620:52:0:1329:216:3eff:fe27:7207:464
[3192] 1505997473.220273: Received answer (248 bytes) from dgram
2620:52:0:1329:216:3eff:fe27:7207:464
[3192] 1505997473.220380: Read AP-REP, time 1505997473.181546, subkey
aes256-cts/4B37, seqnum 256549514
[3192] 1505997473.220416: Getting initial TGT with changed password
[3192] 1505997473.220423: Getting initial credentials for
delegatus...@testrelm.test
[3192] 1505997473.220468: Sending request (182 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[3192] 1505997473.220502: Resolving hostname kvm-02-guest11.testrelm.test
[3192] 1505997473.220620: Initiating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.220667: Sending TCP request to stream 10.16.68.117:88
[3192] 1505997473.222921: Received answer (185 bytes) from stream
10.16.68.117:88
[3192] 1505997473.222930: Terminating TCP connection to stream 10.16.68.117:88
[3192] 1505997473.222979: Received error from KDC: -1765328361/Password has
expired
kinit: Password has expired while getting initial credentials
klist: Credentials cache keyring 'persistent:0:0' not found
:: [ 08:37:53 ] :: ERROR: kinit as delegatuser2 with new password passw0rd1
failed.
:: [ FAIL ] :: Command 'FirstKinitAs delegatuser2 dummy...@ipa.com
passw0rd1' (Expected 0, got 1)
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
