#3652 kdcinfo doesn't get populated for other domains

Created 6 months ago by funkyflash
Modified 2 months ago

My organization has two domains in the same forest, let's call them users.pagure.io and computers.pagure.io. When SSSD does an auth operation, it will happily populate /var/lib/sss/pubconf/kdcinfo.COMPUTERS.PAGURE.IO, but will not for the users domain. As a result, when it looks up users, it will go all over the place to find KDCs for users.pagure.io until it finds one it can talk to:

[root@mrtest pubconf]# KRB5_TRACE=/dev/stdout SSSD_KRB5_LOCATOR_DEBUG=/dev/stdout kinit myUserID@USERS.PAGURE.IO
[1673] 1519787531.65931: Getting initial credentials for myUserID@USERS.PAGURE.IO
[1673] 1519787531.66407: Sending request (200 bytes) to USERS.PAGURE.IO
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1673] 1519787531.91872: Resolving hostname somewhere.not.in.my.site.
[1673] 1519787531.94202: Sending initial UDP request to dgram 10.1.2.3:88
[1673] 1519787531.187670: Received answer (198 bytes) from dgram 10.1.2.3:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1673] 1519787531.190912: Response was not from master KDC
[1673] 1519787531.190952: Received error from KDC: -1765328359/Additional pre-authentication required
[1673] 1519787531.190994: Processing preauth types: 16, 15, 19, 2
[1673] 1519787531.191007: Selected etype info: etype aes256-cts, salt "USERS.PAGURE.IOMy.Name", params ""
Password for myUserID@USERS.PAGURE.IO: 

When I turn up debugging for SSSD, I can see it doing the same thing in /var/log/sssd/krb5_child.log.

That being said, if I populate /var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO with valid information, it works like a champ.

Is there a way to get SSSD to populate the kdcinfo for all domains it uses? Or, take this into account when implementing the proposed Kerberos Locator Plugin redesign?

Thanks!

Currently SSSD only creates the kdcinfo file for the domain the client is joined to. But I'm workging on some improvements for the locator plugin and this is one of them.

So far I'm filing this ticket into 2.0, we can backport to older branches when we actually have the code handy.

5 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

5 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1494690

Issue linked to Bugzilla: Bug 1494690

4 months ago

Metadata Update from @jhrozek:
- Issue priority set to: critical (was: minor)

Commit d91661e relates to this ticket

Commit cc79227 relates to this ticket

Fixed as part of the following series ...
master:
efae950
9f68324
c1fbc6b
2124275
cc79227
d91661e
4759a48
f28d995

Edited 2 months ago by fidencio
2 months ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 2.0)

Login to comment on this ticket.

https://bugzilla.redhat.com/show_bug.cgi?id=1494690

cancel