Sumit Bose <sb...@redhat.com> writes: > On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote: >> On (12/09/17 18:44), Sumit Bose wrote: >>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: >>>> ehlo, >>>> >>>> I realized that it might be better to discuss it here rather then in >>>> pull requests because it seems to be related to two different commits. >>>> >>>> I will describe a test case on master with already created replica on >>>> another >>>> host. >>>> * kinit as admin >>>> // create user with dummy password >>>> * echo $dummypw | ipa user-add $login --first "$firstname" --last >>>> "$lastname" \ >>>> --password >>>> >>>> // adding sleep think that first kinit hits slave sometimes and the >>>> user is >>>> // not replicated yet. >>>> * sleep 2 >>>> * FirstKinitAs $login $dummypw $password >>>> >>>> FirstKinitAs is a bash function which change initial password >>>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V >>>> $username >>>> >>>> Such test works reliably with 1.15.3 and kinit always talk to local master >>>> (I didn't try to remove sleep 2) >>>> >>>> >>>> But situation changed a little bit with git master due to following commits >>>> IPA: Only generate kdcinfo files on clients >>>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 >>> >>> Do you have the /etc/krb5.conf available from the host where the >>> test failed. The above patch was written with the assumption that >>> /etc/krb5.conf on the IPA server points to the server itself as >>> ipa-server-install creates it: >>> >>>[realms] >>> IPA.DEVEL = { >>> kdc = ipa-devel.ipa.devel:88 >>> master_kdc = ipa-devel.ipa.devel:88 >>> admin_server = ipa-devel.ipa.devel:749 >>> default_domain = ipa.devel >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>>} >>> >>>Currently I would assume that at least admin_server is missing. >>> >> Here you are. >> local master: kvm-02-guest11.testrelm.test >> replica: bkr-hv01-guest19.testrelm.test >> >> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf >> includedir /etc/krb5.conf.d/ >> includedir /var/lib/sss/pubconf/krb5.include.d/ >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = TESTRELM.TEST >> dns_lookup_realm = false >> dns_lookup_kdc = true >> rdns = false >> ticket_lifetime = 24h >> forwardable = true >> udp_preference_limit = 0 >> default_ccache_name = KEYRING:persistent:%{uid} >> >> [realms] >> TESTRELM.TEST = { >> kdc = kvm-02-guest11.testrelm.test:88 >> master_kdc = kvm-02-guest11.testrelm.test:88 >> admin_server = kvm-02-guest11.testrelm.test:749 >> default_domain = testrelm.test >> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem >> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem >> } > > Thank you, so the krb5.conf has the expected entries. I did some testing > and found that libkrb5 does a DNS SRV lookup to find the kpasswd server > although the man page says: > > """ > kpasswd_server > Points to the server where all the password changes are > performed. If there is no such entry, the port 464 on the admin_server > host will be tried. > """ > > To me it looks like the advertised fallback to admin_server if there is > no kpasswd_server defined does not work. > > Robbie, is this expected or is it possible that there is an issue in > libkrb5?
It's possible there's an issue, but I'd need to look more. Could you file a ticket so we can track it? Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
