On (12/09/17 18:44), Sumit Bose wrote: >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: >> ehlo, >> >> I realized that it might be better to discuss it here rather then in >> pull requests because it seems to be related to two different commits. >> >> I will describe a test case on master with already created replica on another >> host. >> * kinit as admin >> // create user with dummy password >> * echo $dummypw | ipa user-add $login --first "$firstname" --last >> "$lastname" \ >> --password >> >> // adding sleep think that first kinit hits slave sometimes and the user >> is >> // not replicated yet. >> * sleep 2 >> * FirstKinitAs $login $dummypw $password >> >> FirstKinitAs is a bash function which change initial password >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >> $username >> >> Such test works reliably with 1.15.3 and kinit always talk to local master >> (I didn't try to remove sleep 2) >> >> >> But situation changed a little bit with git master due to following commits >> IPA: Only generate kdcinfo files on clients >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > >Do you have the /etc/krb5.conf available from the host where the test >failed. The above patch was written with the assumption that >/etc/krb5.conf on the IPA server points to the server itself as >ipa-server-install creates it: > >[realms] > IPA.DEVEL = { > kdc = ipa-devel.ipa.devel:88 > master_kdc = ipa-devel.ipa.devel:88 > admin_server = ipa-devel.ipa.devel:749 > default_domain = ipa.devel > pkinit_anchors = FILE:/etc/ipa/ca.crt >} > >Currently I would assume that at least admin_server is missing. > Here you are. local master: kvm-02-guest11.testrelm.test replica: bkr-hv01-guest19.testrelm.test
[root@kvm-02-guest11 ~]# cat /etc/krb5.conf includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTRELM.TEST dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] TESTRELM.TEST = { kdc = kvm-02-guest11.testrelm.test:88 master_kdc = kvm-02-guest11.testrelm.test:88 admin_server = kvm-02-guest11.testrelm.test:749 default_domain = testrelm.test pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .testrelm.test = TESTRELM.TEST testrelm.test = TESTRELM.TEST kvm-02-guest11.testrelm.test = TESTRELM.TEST [dbmodules] TESTRELM.TEST = { db_library = ipadb.so } [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/ ipa-certauth [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth [plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb } [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/ domain_realm_testrelm_test krb5_libdefaults localauth_plugin [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test [domain_realm] [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults [libdefaults] canonicalize = true [root@kvm-02-guest11 ~]# cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so } ------------------------- Added user "delegatuser2" ------------------------- User login: delegatuser2 First name: first Last name: last Full name: first last Display name: first last Initials: fl Home directory: /home/delegatuser2 GECOS: first last Login shell: /bin/sh Principal name: delegatus...@testrelm.test Principal alias: delegatus...@testrelm.test Email address: delegatus...@testrelm.test UID: 1622800023 GID: 1622800023 Password: True Member of groups: ipausers Kerberos keys available: True :: [ PASS ] :: add test user account (Expected 0, got 0) :: [ BEGIN ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com passw0rd1' [3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0 Using default cache: persistent:0:0 Using principal: delegatus...@testrelm.test [3192] 1505997473.161781: Getting initial credentials for delegatus...@testrelm.test [3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test [3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.164235: Sending TCP request to stream 10.16.68.117:88 [3192] 1505997473.165916: Received answer (185 bytes) from stream 10.16.68.117:88 [3192] 1505997473.165924: Terminating TCP connection to stream 10.16.68.117:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.165968: Response was from master KDC [3192] 1505997473.166001: Received error from KDC: -1765328361/Password has expired [3192] 1505997473.166019: Principal expired; getting changepw ticket [3192] 1505997473.166025: Getting initial credentials for delegatus...@testrelm.test [3192] 1505997473.166040: Setting initial creds service to kadmin/changepw [3192] 1505997473.166057: Sending request (177 bytes) to TESTRELM.TEST (master) [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.166074: Resolving hostname kvm-02-guest11.testrelm.test [3192] 1505997473.166175: Initiating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.166212: Sending TCP request to stream 10.16.68.117:88 [3192] 1505997473.167923: Received answer (307 bytes) from stream 10.16.68.117:88 [3192] 1505997473.167930: Terminating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.167956: Received error from KDC: -1765328359/Additional pre-authentication required [3192] 1505997473.167975: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [3192] 1505997473.167986: Selected etype info: etype aes256-cts, salt "k^pE1RcGTiTV+B^z", params "" [3192] 1505997473.167989: Received cookie: MIT [3192] 1505997473.168002: PKINIT client has no configured identity; giving up [3192] 1505997473.168014: Preauth module pkinit (147) (info) returned: 0/Success [3192] 1505997473.168020: PKINIT client has no configured identity; giving up [3192] 1505997473.168032: Preauth module pkinit (16) (real) returned: 22/Invalid argument [3192] 1505997473.168037: PKINIT client has no configured identity; giving up [3192] 1505997473.168041: Preauth module pkinit (14) (real) returned: 22/Invalid argument [3192] 1505997473.168046: PKINIT client has no configured identity; giving up [3192] 1505997473.168049: Preauth module pkinit (14) (real) returned: 22/Invalid argument Password for delegatus...@testrelm.test: [3192] 1505997473.178371: AS key obtained for encrypted timestamp: aes256-cts/B60B [3192] 1505997473.178425: Encrypted timestamp (for 1505997473.178262): plain 301AA011180F32303137303932313132333735335AA105020302B856, encrypted 75BDE01CE518AA302EF19F306BFD673D9826B688CDC279D0612EBAC58F427D18B83396D82D26401BF17C982B422B2C990B8E50B96760B4FA [3192] 1505997473.178455: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [3192] 1505997473.178459: Produced preauth for next request: 133, 2 [3192] 1505997473.178472: Sending request (272 bytes) to TESTRELM.TEST (master) [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.178503: Resolving hostname kvm-02-guest11.testrelm.test [3192] 1505997473.178645: Initiating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.178728: Sending TCP request to stream 10.16.68.117:88 [3192] 1505997473.181321: Received answer (742 bytes) from stream 10.16.68.117:88 [3192] 1505997473.181330: Terminating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.181369: Processing preauth types: 19 [3192] 1505997473.181376: Selected etype info: etype aes256-cts, salt "k^pE1RcGTiTV+B^z", params "" [3192] 1505997473.181380: Produced preauth for next request: (empty) [3192] 1505997473.181386: AS key determined by preauth: aes256-cts/B60B [3192] 1505997473.181426: Decrypted AS reply; session key is: aes256-cts/0A8F [3192] 1505997473.181440: FAST negotiation: available [3192] 1505997473.181489: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [3192] 1505997473.181542: Creating authenticator for delegatus...@testrelm.test -> kadmin/chang...@testrelm.test, seqnum 0, subkey aes256-cts/4B37, session key aes256-cts/0A8F [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.182186: Resolving hostname bkr-hv01-guest19.testrelm.test. [3192] 1505997473.182599: Sending initial UDP request to dgram 2620:52:0:1329:216:3eff:fe27:7207:464 [3192] 1505997473.220273: Received answer (248 bytes) from dgram 2620:52:0:1329:216:3eff:fe27:7207:464 [3192] 1505997473.220380: Read AP-REP, time 1505997473.181546, subkey aes256-cts/4B37, seqnum 256549514 [3192] 1505997473.220416: Getting initial TGT with changed password [3192] 1505997473.220423: Getting initial credentials for delegatus...@testrelm.test [3192] 1505997473.220468: Sending request (182 bytes) to TESTRELM.TEST (master) [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [3192] 1505997473.220502: Resolving hostname kvm-02-guest11.testrelm.test [3192] 1505997473.220620: Initiating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.220667: Sending TCP request to stream 10.16.68.117:88 [3192] 1505997473.222921: Received answer (185 bytes) from stream 10.16.68.117:88 [3192] 1505997473.222930: Terminating TCP connection to stream 10.16.68.117:88 [3192] 1505997473.222979: Received error from KDC: -1765328361/Password has expired kinit: Password has expired while getting initial credentials klist: Credentials cache keyring 'persistent:0:0' not found :: [ 08:37:53 ] :: ERROR: kinit as delegatuser2 with new password passw0rd1 failed. :: [ FAIL ] :: Command 'FirstKinitAs delegatuser2 dummy...@ipa.com passw0rd1' (Expected 0, got 1) _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org