SSSD / sssd

Clone

#829 unable to resolve the kdc if the kdcinfo.REALM-NAME file is missing
Closed: Invalid None Opened 13 years ago by eparis.

Closed: Invalid
Reopen Issue

sssd-1.5.3-2.fc15.x86_64
krb5-workstation-1.9-6.fc15.x86_64

But this has certainly been around for me for a long time. My basic problem is that I will often be working online where 'online' means 'physical inside of a private network'. I will then put my laptop to sleep and leave the private network. When I wake my laptop up I have to enter my password 'offline.' I then connect to the VPN which should put me back 'online.'

At this point I expect everything to just work. But things like evolution (the only program I have actually using kerberos tickets) are unable to function. I discovered that when I'm in this state I am unable to run kinit. It complains: "kinit: Cannot find KDC for requested realm while getting initial credentials" I can run sudo -s and it works just fine. Then evo and kinit start working.

We discovered (thanks simo) that if I remove the /var/lib/sss/pubconf/kdcinfo.REALM-NAME file I can reproduce this issue. If I put the file back everything works.

Although I am still running 1.5.0 the krb5 locator plugin hasn't change since July so I think we are running pretty much the same code, yet I cannot reproduce.

I asked Eric to activate the locator plugin debug output and the output is the same for both during a kinit.

So I suspect the problem may lay in the kerberos libraries.
Eric is running 1.9-6.fc15.x86_64 while I am running 1.8.2-3.el6_0.6.i686 on the machine where I did the test.

Debug output of failing kinit:

[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
kinit: Cannot find KDC for requested realm while getting initial credentials

Debug output for successful one:

[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
Password for xxxxxx@REDHAT.COM:

We remove the kdcinfo files when going offline, and create them only during the first sssd-krb5 request after going online. I think to fix this we should create an online callback which creates the files immediately after sssd goes online. Then they are available for other krb5 clients not using sssd like kinit or evo.

Would you mind also including your (sanitized) {{{/etc/krb5.conf}}} file?

We both had the same krb5.conf file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

[realms]
 REDHAT.COM = {
  kdc = xx.redhat.com
  admin_server = xx.redhat.com
 }

[domain_realm]
 redhat.com = REDHAT.COM
 .redhat.com = REDHAT.COM

Fields changed

owner: somebody => sgallagh

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.7.0

Not sure if it is still reproducible. Moving to deferred. If this is still occurring please comment and we will re-assess.

milestone: SSSD 1.8.0 => SSSD Deferred
patch: => 0

Fields changed

rhbz: => 0

Fields changed

blockedby: =>
blocking: =>
resolution: => worksforme
status: new => closed

Metadata Update from @eparis:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD Patches welcome
7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1871

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
major
defect
SSSD
1.5.3
None
0
0
0
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.