#1735 Failover to krb5_backup_kpasswd doesn't work
Closed: Fixed None Opened 6 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=890520 (Red Hat Enterprise Linux 6)

Description of problem:
Failover to krb5_backup_kpasswd doesn't work

Version-Release number of selected component (if applicable):
sssd-1.9.2-59.el6

How reproducible:
Always

Steps to Reproduce:
1. [domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = kdc.example.com
krb5_kpasswd = kdc1.example.com    <== KDC doesn't exist on this machine
krb5_backup_kpasswd = kdc.example.com

2. Try to change password:
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Thu Dec 27 18:23:42 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
-sh-4.1$


Actual results:
Password change fails. It seems sssd doesn't failover to the kpasswd server
specified under krb5_backup_kpasswd

/var/log/secure shows:
Dec 27 18:25:49 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info:
[Ticket expired]
Dec 27 18:25:49 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change
failed for user puser1: 20 (Authentication token manipulation error)

Expected results:
Failover should work.

Additional info:
Domain logs:
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'KPASSWD'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc1.example.com' is 'name resolved'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10
seconds
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc1.example.com' is 'name resolved'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x0200): Found address for server kdc1.example.com: [192.168.122.94] TTL 300
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [krb5_find_ccache_step]
(0x0080): Saved ccache FILE:/tmp/krb5cc_2001_EVW1EM if of different type than
ccache in configuration file, reusing the old ccache
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [14535]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [14535]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [write_pipe_handler] (0x0400):
All data has been sent!
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [become_user] (0x0200): Trying
to become user [2001][2001].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response]
(0x1000): child response [20][1][15].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000):
Wait queue for user [puser1] is empty.
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 20, <NULL>) [Success]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Sending result [20][LDAP-KRB5]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Sent result [20][LDAP-KRB5]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_sig_handler] (0x1000):
Waiting for child [14535].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_sig_handler] (0x0100):
child [14535] finished successfully.
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [sss_child_handler] (0x2000):
waitpid failed [10]: No child processes

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
patch: 0 => 1
selected: =>
testsupdated: => 0

milestone: NEEDS_TRIAGE => SSSD 1.9.4
owner: somebody => pbrezina

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata