On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote:
> On (12/09/17 18:44), Sumit Bose wrote:
> >On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
> >> ehlo,
> >>
> >> I realized that it might be better to discuss it here rather then in
> >> pull requests because it seems to be related to two different commits.
> >>
> >> I will describe a test case on master with already created replica on
> >> another
> >> host.
> >> * kinit as admin
> >> // create user with dummy password
> >> * echo $dummypw | ipa user-add $login --first "$firstname" --last
> >> "$lastname" \
> >> --password
> >>
> >> // adding sleep think that first kinit hits slave sometimes and the
> >> user is
> >> // not replicated yet.
> >> * sleep 2
> >> * FirstKinitAs $login $dummypw $password
> >>
> >> FirstKinitAs is a bash function which change initial password
> >> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
> >> $username
> >>
> >> Such test works reliably with 1.15.3 and kinit always talk to local master
> >> (I didn't try to remove sleep 2)
> >>
> >>
> >> But situation changed a little bit with git master due to following commits
> >> IPA: Only generate kdcinfo files on clients
> >> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
> >
> >Do you have the /etc/krb5.conf available from the host where the test
> >failed. The above patch was written with the assumption that
> >/etc/krb5.conf on the IPA server points to the server itself as
> >ipa-server-install creates it:
> >
> >[realms]
> > IPA.DEVEL = {
> > kdc = ipa-devel.ipa.devel:88
> > master_kdc = ipa-devel.ipa.devel:88
> > admin_server = ipa-devel.ipa.devel:749
> > default_domain = ipa.devel
> > pkinit_anchors = FILE:/etc/ipa/ca.crt
> >}
> >
> >Currently I would assume that at least admin_server is missing.
> >
> Here you are.
> local master: kvm-02-guest11.testrelm.test
> replica: bkr-hv01-guest19.testrelm.test
>
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf
> includedir /etc/krb5.conf.d/
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TESTRELM.TEST
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = true
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> TESTRELM.TEST = {
> kdc = kvm-02-guest11.testrelm.test:88
> master_kdc = kvm-02-guest11.testrelm.test:88
> admin_server = kvm-02-guest11.testrelm.test:749
> default_domain = testrelm.test
> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
> }
Thank you, so the krb5.conf has the expected entries. I did some testing
and found that libkrb5 does a DNS SRV lookup to find the kpasswd server
although the man page says:
"""
kpasswd_server
Points to the server where all the password changes are
performed. If there is no such entry, the port 464 on the admin_server
host will be tried.
"""
To me it looks like the advertised fallback to admin_server if there is
no kpasswd_server defined does not work.
Robbie, is this expected or is it possible that there is an issue in
libkrb5?
bye,
Sumit
>
> [domain_realm]
> .testrelm.test = TESTRELM.TEST
> testrelm.test = TESTRELM.TEST
> kvm-02-guest11.testrelm.test = TESTRELM.TEST
>
> [dbmodules]
> TESTRELM.TEST = {
> db_library = ipadb.so
> }
>
>
>
> [root@kvm-02-guest11 ~]# ls /etc/krb5.conf.d/
> ipa-certauth
> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf.d/ipa-certauth
> [plugins]
> certauth = {
> module = ipakdb:kdb/ipadb.so
> enable_only = ipakdb
> }
>
>
>
> [root@kvm-02-guest11 ~]# ls /var/lib/sss/pubconf/krb5.include.d/
> domain_realm_testrelm_test krb5_libdefaults localauth_plugin
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_testrelm_test
> [domain_realm]
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults
> [libdefaults]
> canonicalize = true
> [root@kvm-02-guest11 ~]# cat
> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin
> [plugins]
> localauth = {
> module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
> }
>
>
>
>
>
>
> -------------------------
> Added user "delegatuser2"
> -------------------------
> User login: delegatuser2
> First name: first
> Last name: last
> Full name: first last
> Display name: first last
> Initials: fl
> Home directory: /home/delegatuser2
> GECOS: first last
> Login shell: /bin/sh
> Principal name: delegatus...@testrelm.test
> Principal alias: delegatus...@testrelm.test
> Email address: delegatus...@testrelm.test
> UID: 1622800023
> GID: 1622800023
> Password: True
> Member of groups: ipausers
> Kerberos keys available: True
> :: [ PASS ] :: add test user account (Expected 0, got 0)
> :: [ BEGIN ] :: Running 'FirstKinitAs delegatuser2 dummy...@ipa.com
> passw0rd1'
> [3190] 1505997473.156106: Destroying ccache KEYRING:persistent:0:0
> Using default cache: persistent:0:0
> Using principal: delegatus...@testrelm.test
> [3192] 1505997473.161781: Getting initial credentials for
> delegatus...@testrelm.test
> [3192] 1505997473.163737: Sending request (182 bytes) to TESTRELM.TEST
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.163848: Resolving hostname kvm-02-guest11.testrelm.test
> [3192] 1505997473.164170: Initiating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.164235: Sending TCP request to stream 10.16.68.117:88
> [3192] 1505997473.165916: Received answer (185 bytes) from stream
> 10.16.68.117:88
> [3192] 1505997473.165924: Terminating TCP connection to stream 10.16.68.117:88
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.165968: Response was from master KDC
> [3192] 1505997473.166001: Received error from KDC: -1765328361/Password has
> expired
> [3192] 1505997473.166019: Principal expired; getting changepw ticket
> [3192] 1505997473.166025: Getting initial credentials for
> delegatus...@testrelm.test
> [3192] 1505997473.166040: Setting initial creds service to kadmin/changepw
> [3192] 1505997473.166057: Sending request (177 bytes) to TESTRELM.TEST
> (master)
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.166074: Resolving hostname kvm-02-guest11.testrelm.test
> [3192] 1505997473.166175: Initiating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.166212: Sending TCP request to stream 10.16.68.117:88
> [3192] 1505997473.167923: Received answer (307 bytes) from stream
> 10.16.68.117:88
> [3192] 1505997473.167930: Terminating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.167956: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [3192] 1505997473.167975: Processing preauth types: 16, 15, 14, 136, 19, 147,
> 2, 133
> [3192] 1505997473.167986: Selected etype info: etype aes256-cts, salt
> "k^pE1RcGTiTV+B^z", params ""
> [3192] 1505997473.167989: Received cookie: MIT
> [3192] 1505997473.168002: PKINIT client has no configured identity; giving up
> [3192] 1505997473.168014: Preauth module pkinit (147) (info) returned:
> 0/Success
> [3192] 1505997473.168020: PKINIT client has no configured identity; giving up
> [3192] 1505997473.168032: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> [3192] 1505997473.168037: PKINIT client has no configured identity; giving up
> [3192] 1505997473.168041: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> [3192] 1505997473.168046: PKINIT client has no configured identity; giving up
> [3192] 1505997473.168049: Preauth module pkinit (14) (real) returned:
> 22/Invalid argument
> Password for delegatus...@testrelm.test:
> [3192] 1505997473.178371: AS key obtained for encrypted timestamp:
> aes256-cts/B60B
> [3192] 1505997473.178425: Encrypted timestamp (for 1505997473.178262): plain
> 301AA011180F32303137303932313132333735335AA105020302B856, encrypted
> 75BDE01CE518AA302EF19F306BFD673D9826B688CDC279D0612EBAC58F427D18B83396D82D26401BF17C982B422B2C990B8E50B96760B4FA
> [3192] 1505997473.178455: Preauth module encrypted_timestamp (2) (real)
> returned: 0/Success
> [3192] 1505997473.178459: Produced preauth for next request: 133, 2
> [3192] 1505997473.178472: Sending request (272 bytes) to TESTRELM.TEST
> (master)
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.178503: Resolving hostname kvm-02-guest11.testrelm.test
> [3192] 1505997473.178645: Initiating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.178728: Sending TCP request to stream 10.16.68.117:88
> [3192] 1505997473.181321: Received answer (742 bytes) from stream
> 10.16.68.117:88
> [3192] 1505997473.181330: Terminating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.181369: Processing preauth types: 19
> [3192] 1505997473.181376: Selected etype info: etype aes256-cts, salt
> "k^pE1RcGTiTV+B^z", params ""
> [3192] 1505997473.181380: Produced preauth for next request: (empty)
> [3192] 1505997473.181386: AS key determined by preauth: aes256-cts/B60B
> [3192] 1505997473.181426: Decrypted AS reply; session key is: aes256-cts/0A8F
> [3192] 1505997473.181440: FAST negotiation: available
> [3192] 1505997473.181489: Attempting password change; 3 tries remaining
> Password expired. You must change it now.
> Enter new password:
> Enter it again:
> [3192] 1505997473.181542: Creating authenticator for
> delegatus...@testrelm.test -> kadmin/chang...@testrelm.test, seqnum 0, subkey
> aes256-cts/4B37, session key aes256-cts/0A8F
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.182186: Resolving hostname bkr-hv01-guest19.testrelm.test.
> [3192] 1505997473.182599: Sending initial UDP request to dgram
> 2620:52:0:1329:216:3eff:fe27:7207:464
> [3192] 1505997473.220273: Received answer (248 bytes) from dgram
> 2620:52:0:1329:216:3eff:fe27:7207:464
> [3192] 1505997473.220380: Read AP-REP, time 1505997473.181546, subkey
> aes256-cts/4B37, seqnum 256549514
> [3192] 1505997473.220416: Getting initial TGT with changed password
> [3192] 1505997473.220423: Getting initial credentials for
> delegatus...@testrelm.test
> [3192] 1505997473.220468: Sending request (182 bytes) to TESTRELM.TEST
> (master)
> [sssd_krb5_locator] sssd_krb5_locator_init called
> [sssd_krb5_locator] open failed
> [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
> [sssd_krb5_locator] get_krb5info failed.
> [sssd_krb5_locator] sssd_krb5_locator_close called
> [3192] 1505997473.220502: Resolving hostname kvm-02-guest11.testrelm.test
> [3192] 1505997473.220620: Initiating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.220667: Sending TCP request to stream 10.16.68.117:88
> [3192] 1505997473.222921: Received answer (185 bytes) from stream
> 10.16.68.117:88
> [3192] 1505997473.222930: Terminating TCP connection to stream 10.16.68.117:88
> [3192] 1505997473.222979: Received error from KDC: -1765328361/Password has
> expired
> kinit: Password has expired while getting initial credentials
> klist: Credentials cache keyring 'persistent:0:0' not found
> :: [ 08:37:53 ] :: ERROR: kinit as delegatuser2 with new password passw0rd1
> failed.
> :: [ FAIL ] :: Command 'FirstKinitAs delegatuser2 dummy...@ipa.com
> passw0rd1' (Expected 0, got 1)
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
