Issue #1735: Failover to krb5_backup_kpasswd doesn't work - sssd

SSSD / sssd

#1735 Failover to krb5_backup_kpasswd doesn't work

Closed: Fixed None Opened 11 years ago by pbrezina.

https://bugzilla.redhat.com/show_bug.cgi?id=890520 (Red Hat Enterprise Linux 6)

Description of problem:
Failover to krb5_backup_kpasswd doesn't work

Version-Release number of selected component (if applicable):
sssd-1.9.2-59.el6

How reproducible:
Always

Steps to Reproduce:
1. [domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ldapserver.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = kdc.example.com
krb5_kpasswd = kdc1.example.com    <== KDC doesn't exist on this machine
krb5_backup_kpasswd = kdc.example.com

2. Try to change password:
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Thu Dec 27 18:23:42 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
-sh-4.1$


Actual results:
Password change fails. It seems sssd doesn't failover to the kpasswd server
specified under krb5_backup_kpasswd

/var/log/secure shows:
Dec 27 18:25:49 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info:
[Ticket expired]
Dec 27 18:25:49 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change
failed for user puser1: 20 (Authentication token manipulation error)

Expected results:
Failover should work.

Additional info:
Domain logs:
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'KPASSWD'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc1.example.com' is 'name resolved'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10
seconds
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000):
Status of server 'kdc1.example.com' is 'name resolved'
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process]
(0x0200): Found address for server kdc1.example.com: [192.168.122.94] TTL 300
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [krb5_find_ccache_step]
(0x0080): Saved ccache FILE:/tmp/krb5cc_2001_EVW1EM if of different type than
ccache in configuration file, reusing the old ccache
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_handler_setup]
(0x2000): Setting up signal handler up for pid [14535]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [14535]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [write_pipe_handler] (0x0400):
All data has been sent!
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [become_user] (0x0200): Trying
to become user [2001][2001].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [read_pipe_handler] (0x0400):
EOF received, client finished
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response]
(0x1000): child response [20][1][15].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000):
Wait queue for user [puser1] is empty.
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 20, <NULL>) [Success]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Sending result [20][LDAP-KRB5]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback]
(0x0100): Sent result [20][LDAP-KRB5]
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_sig_handler] (0x1000):
Waiting for child [14535].
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [child_sig_handler] (0x0100):
child [14535] finished successfully.
(Thu Dec 27 18:25:49 2012) [sssd[be[LDAP-KRB5]]] [sss_child_handler] (0x2000):
waitpid failed [10]: No child processes

pbrezina commented 11 years ago

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
patch: 0 => 1
selected: =>
testsupdated: => 0

jhrozek commented 11 years ago

master: 4bb57b5
sssd-1-9: 254bd9a

milestone: NEEDS_TRIAGE => SSSD 1.9.4
owner: somebody => pbrezina

jhrozek commented 11 years ago

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @pbrezina:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2777

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

pbrezina

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.9.4

type

defect

component

SSSD

version

None

selected

None

testsupdated

patch

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=890520

design_review

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#1735 Failover to krb5_backup_kpasswd doesn't work Closed: Fixed None Opened 11 years ago by pbrezina.

Metadata

#1735 Failover to krb5_backup_kpasswd doesn't work

Closed: Fixed None Opened 11 years ago by pbrezina.