#1680 krb5_kpasswd failover doesn't work
Closed: Fixed None Opened 7 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=880546 (Red Hat Enterprise Linux 6)

Description of problem:
krb5_kpasswd failover doesn't work

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. domain section of sssd.conf includes:
auth_provider = krb5
krb5_server = kdc.example.com:12345,kdc.example.com:88
krb5_kpasswd = kdc.example.com:12345,kdc.example.com:464

2. Try to login and change the user's password
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Tue Nov 27 14:46:43 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error

Actual results:
Password change fails as sssd is unable to failover.

/var/log/secure shows:
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info:
[Cannot contact any KDC for requested realm]
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change
failed for user puser1: 22 (Authentication token lock busy)

/var/log/sssd/sssd_domain.log shows:
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response]
(0x1000): child response [22][1][43].
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_fo_set_port_status]
(0x0040): The server (nil) is not valid anymore, cannot set its status
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'KPASSWD'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x0040): The fail over cycled through all available servers
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_done]
(0x1000): Server resolution failed: 2
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000):
Wait queue for user [puser1] is empty.
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 22, <NULL>) [Success]

Expected results:
krb5_kpasswd failover should work.

Additional info:

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => mzidek
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.4

Fields changed

owner: mzidek => pbrezina
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2722

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.