#1680 krb5_kpasswd failover doesn't work
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=880546 (Red Hat Enterprise Linux 6)

Description of problem:
krb5_kpasswd failover doesn't work

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. domain section of sssd.conf includes:
auth_provider = krb5
krb5_server = kdc.example.com:12345,kdc.example.com:88
krb5_kpasswd = kdc.example.com:12345,kdc.example.com:464

2. Try to login and change the user's password
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Tue Nov 27 14:46:43 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error

Actual results:
Password change fails as sssd is unable to failover.

/var/log/secure shows:
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info:
[Cannot contact any KDC for requested realm]
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change
failed for user puser1: 22 (Authentication token lock busy)

/var/log/sssd/sssd_domain.log shows:
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response]
(0x1000): child response [22][1][43].
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_fo_set_port_status]
(0x0040): The server (nil) is not valid anymore, cannot set its status
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'KPASSWD'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x0040): The fail over cycled through all available servers
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_done]
(0x1000): Server resolution failed: 2
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000):
Wait queue for user [puser1] is empty.
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 22, <NULL>) [Success]

Expected results:
krb5_kpasswd failover should work.

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => mzidek
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

Fields changed

owner: mzidek => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.