#3652 kdcinfo doesn't get populated for other domains
Closed: Fixed 5 years ago Opened 6 years ago by funkyflash.

My organization has two domains in the same forest, let's call them users.pagure.io and computers.pagure.io. When SSSD does an auth operation, it will happily populate /var/lib/sss/pubconf/kdcinfo.COMPUTERS.PAGURE.IO, but will not for the users domain. As a result, when it looks up users, it will go all over the place to find KDCs for users.pagure.io until it finds one it can talk to:

[root@mrtest pubconf]# KRB5_TRACE=/dev/stdout SSSD_KRB5_LOCATOR_DEBUG=/dev/stdout kinit myUserID@USERS.PAGURE.IO
[1673] 1519787531.65931: Getting initial credentials for myUserID@USERS.PAGURE.IO
[1673] 1519787531.66407: Sending request (200 bytes) to USERS.PAGURE.IO
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1673] 1519787531.91872: Resolving hostname somewhere.not.in.my.site.
[1673] 1519787531.94202: Sending initial UDP request to dgram 10.1.2.3:88
[1673] 1519787531.187670: Received answer (198 bytes) from dgram 10.1.2.3:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1673] 1519787531.190912: Response was not from master KDC
[1673] 1519787531.190952: Received error from KDC: -1765328359/Additional pre-authentication required
[1673] 1519787531.190994: Processing preauth types: 16, 15, 19, 2
[1673] 1519787531.191007: Selected etype info: etype aes256-cts, salt "USERS.PAGURE.IOMy.Name", params ""
Password for myUserID@USERS.PAGURE.IO: 

When I turn up debugging for SSSD, I can see it doing the same thing in /var/log/sssd/krb5_child.log.

That being said, if I populate /var/lib/sss/pubconf/kdcinfo.USERS.PAGURE.IO with valid information, it works like a champ.

Is there a way to get SSSD to populate the kdcinfo for all domains it uses? Or, take this into account when implementing the proposed Kerberos Locator Plugin redesign?

Thanks!


Currently SSSD only creates the kdcinfo file for the domain the client is joined to. But I'm workging on some improvements for the locator plugin and this is one of them.

So far I'm filing this ticket into 2.0, we can backport to older branches when we actually have the code handy.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

6 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1494690

6 years ago

Metadata Update from @jhrozek:
- Issue priority set to: critical (was: minor)

5 years ago

Commit d91661e relates to this ticket

Commit cc79227 relates to this ticket

Fixed as part of the following series ...
master:
efae950
9f68324
c1fbc6b
2124275
cc79227
d91661e
4759a48
f28d995

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3 (was: SSSD 2.0)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4672

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata