On Tue, Oct 03, 2017 at 05:16:24PM -0400, Robbie Harwood wrote: > Sumit Bose <sb...@redhat.com> writes: > > > On Thu, Sep 21, 2017 at 04:52:32PM +0200, Lukas Slebodnik wrote: > >> On (12/09/17 18:44), Sumit Bose wrote: > >>> On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote: > >>>> ehlo, > >>>> > >>>> I realized that it might be better to discuss it here rather then in > >>>> pull requests because it seems to be related to two different commits. > >>>> > >>>> I will describe a test case on master with already created replica on > >>>> another > >>>> host. > >>>> * kinit as admin > >>>> // create user with dummy password > >>>> * echo $dummypw | ipa user-add $login --first "$firstname" --last > >>>> "$lastname" \ > >>>> --password > >>>> > >>>> // adding sleep think that first kinit hits slave sometimes and the > >>>> user is > >>>> // not replicated yet. > >>>> * sleep 2 > >>>> * FirstKinitAs $login $dummypw $password > >>>> > >>>> FirstKinitAs is a bash function which change initial password > >>>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit > >>>> -V $username > >>>> > >>>> Such test works reliably with 1.15.3 and kinit always talk to local > >>>> master > >>>> (I didn't try to remove sleep 2) > >>>> > >>>> > >>>> But situation changed a little bit with git master due to following > >>>> commits > >>>> IPA: Only generate kdcinfo files on clients > >>>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6 > >>> > >>> Do you have the /etc/krb5.conf available from the host where the > >>> test failed. The above patch was written with the assumption that > >>> /etc/krb5.conf on the IPA server points to the server itself as > >>> ipa-server-install creates it: > >>> > >>>[realms] > >>> IPA.DEVEL = { > >>> kdc = ipa-devel.ipa.devel:88 > >>> master_kdc = ipa-devel.ipa.devel:88 > >>> admin_server = ipa-devel.ipa.devel:749 > >>> default_domain = ipa.devel > >>> pkinit_anchors = FILE:/etc/ipa/ca.crt > >>>} > >>> > >>>Currently I would assume that at least admin_server is missing. > >>> > >> Here you are. > >> local master: kvm-02-guest11.testrelm.test > >> replica: bkr-hv01-guest19.testrelm.test > >> > >> [root@kvm-02-guest11 ~]# cat /etc/krb5.conf > >> includedir /etc/krb5.conf.d/ > >> includedir /var/lib/sss/pubconf/krb5.include.d/ > >> > >> [logging] > >> default = FILE:/var/log/krb5libs.log > >> kdc = FILE:/var/log/krb5kdc.log > >> admin_server = FILE:/var/log/kadmind.log > >> > >> [libdefaults] > >> default_realm = TESTRELM.TEST > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> rdns = false > >> ticket_lifetime = 24h > >> forwardable = true > >> udp_preference_limit = 0 > >> default_ccache_name = KEYRING:persistent:%{uid} > >> > >> [realms] > >> TESTRELM.TEST = { > >> kdc = kvm-02-guest11.testrelm.test:88 > >> master_kdc = kvm-02-guest11.testrelm.test:88 > >> admin_server = kvm-02-guest11.testrelm.test:749 > >> default_domain = testrelm.test > >> pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem > >> pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem > >> } > > > > Thank you, so the krb5.conf has the expected entries. I did some testing > > and found that libkrb5 does a DNS SRV lookup to find the kpasswd server > > although the man page says: > > > > """ > > kpasswd_server > > Points to the server where all the password changes are > > performed. If there is no such entry, the port 464 on the admin_server > > host will be tried. > > """ > > > > To me it looks like the advertised fallback to admin_server if there is > > no kpasswd_server defined does not work. > > > > Robbie, is this expected or is it possible that there is an issue in > > libkrb5? > > It's possible there's an issue, but I'd need to look more. Could you > file a ticket so we can track it?
Thank you, I opened https://bugzilla.redhat.com/show_bug.cgi?id=1498347. bye, Sumit > > Thanks, > --Robbie _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
