Learn more about these different git repos.
Other Git URLs
My organization has two domains in the same forest, let's call them users.pagure.io and computers.pagure.io. When SSSD does an auth operation, it will happily populate /var/lib/sss/pubconf/kdcinfo.COMPUTERS.PAGURE.IO, but will not for the users domain. As a result, when it looks up users, it will go all over the place to find KDCs for users.pagure.io until it finds one it can talk to:
/var/lib/sss/pubconf/kdcinfo.COMPUTERS.PAGURE.IO
[root@mrtest pubconf]# KRB5_TRACE=/dev/stdout SSSD_KRB5_LOCATOR_DEBUG=/dev/stdout kinit myUserID@USERS.PAGURE.IO [1673] 1519787531.65931: Getting initial credentials for myUserID@USERS.PAGURE.IO [1673] 1519787531.66407: Sending request (200 bytes) to USERS.PAGURE.IO [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [1673] 1519787531.91872: Resolving hostname somewhere.not.in.my.site. [1673] 1519787531.94202: Sending initial UDP request to dgram 10.1.2.3:88 [1673] 1519787531.187670: Received answer (198 bytes) from dgram 10.1.2.3:88 [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [1673] 1519787531.190912: Response was not from master KDC [1673] 1519787531.190952: Received error from KDC: -1765328359/Additional pre-authentication required [1673] 1519787531.190994: Processing preauth types: 16, 15, 19, 2 [1673] 1519787531.191007: Selected etype info: etype aes256-cts, salt "USERS.PAGURE.IOMy.Name", params "" Password for myUserID@USERS.PAGURE.IO:
When I turn up debugging for SSSD, I can see it doing the same thing in /var/log/sssd/krb5_child.log.
That being said, if I populate /var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO with valid information, it works like a champ.
Is there a way to get SSSD to populate the kdcinfo for all domains it uses? Or, take this into account when implementing the proposed Kerberos Locator Plugin redesign?
Thanks!
Currently SSSD only creates the kdcinfo file for the domain the client is joined to. But I'm workging on some improvements for the locator plugin and this is one of them.
So far I'm filing this ticket into 2.0, we can backport to older branches when we actually have the code handy.
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.0
Metadata Update from @jhrozek: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1494690
Issue linked to Bugzilla: Bug 1494690
Metadata Update from @jhrozek: - Issue priority set to: critical (was: minor)
Commit d91661e relates to this ticket
Commit cc79227 relates to this ticket
Fixed as part of the following series ... master: efae950 9f68324 c1fbc6b 2124275 cc79227 d91661e 4759a48 f28d995
Metadata Update from @fidencio: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.3 (was: SSSD 2.0)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4672
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.