Learn more about these different git repos.
Other Git URLs
sssd-1.5.3-2.fc15.x86_64 krb5-workstation-1.9-6.fc15.x86_64
But this has certainly been around for me for a long time. My basic problem is that I will often be working online where 'online' means 'physical inside of a private network'. I will then put my laptop to sleep and leave the private network. When I wake my laptop up I have to enter my password 'offline.' I then connect to the VPN which should put me back 'online.'
At this point I expect everything to just work. But things like evolution (the only program I have actually using kerberos tickets) are unable to function. I discovered that when I'm in this state I am unable to run kinit. It complains: "kinit: Cannot find KDC for requested realm while getting initial credentials" I can run sudo -s and it works just fine. Then evo and kinit start working.
We discovered (thanks simo) that if I remove the /var/lib/sss/pubconf/kdcinfo.REALM-NAME file I can reproduce this issue. If I put the file back everything works.
Although I am still running 1.5.0 the krb5 locator plugin hasn't change since July so I think we are running pretty much the same code, yet I cannot reproduce.
I asked Eric to activate the locator plugin debug output and the output is the same for both during a kinit.
So I suspect the problem may lay in the kerberos libraries. Eric is running 1.9-6.fc15.x86_64 while I am running 1.8.2-3.el6_0.6.i686 on the machine where I did the test.
Debug output of failing kinit:
[sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot find KDC for requested realm while getting initial credentials
Debug output for successful one:
[sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called Password for xxxxxx@REDHAT.COM:
We remove the kdcinfo files when going offline, and create them only during the first sssd-krb5 request after going online. I think to fix this we should create an online callback which creates the files immediately after sssd goes online. Then they are available for other krb5 clients not using sssd like kinit or evo.
Would you mind also including your (sanitized) {{{/etc/krb5.conf}}} file?
We both had the same krb5.conf file:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REDHAT.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true allow_weak_crypto = true [realms] REDHAT.COM = { kdc = xx.redhat.com admin_server = xx.redhat.com } [domain_realm] redhat.com = REDHAT.COM .redhat.com = REDHAT.COM
Fields changed
owner: somebody => sgallagh
milestone: NEEDS_TRIAGE => SSSD 1.7.0
Not sure if it is still reproducible. Moving to deferred. If this is still occurring please comment and we will re-assess.
milestone: SSSD 1.8.0 => SSSD Deferred patch: => 0
rhbz: => 0
blockedby: => blocking: => resolution: => worksforme status: new => closed
Metadata Update from @eparis: - Issue assigned to sgallagh - Issue set to the milestone: SSSD Patches welcome
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1871
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.