8fcc0f0 krb5: Pin kpasswd server to a primary one

2 files Authored by slev 2 years ago, Committed by frenaud 2 years ago,
    krb5: Pin kpasswd server to a primary one
    
    There are time gaps in which kinit requests may fail due to
    offlined SSSD's locator and replication delays.
    
    Since `IPA` provider or SSSD offline the locator plugin for libkrb5
    (man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
    fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
    `krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
    fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
    and kinit may contact either master or replica kpasswd servers.
    This may result in a password was changed on a replica but was not
    replicated to master:
    master(kinit)->master(initial)->replica(kpasswd)->master(can't
    obtain initial creds with new password)
    
    So, `kpasswd_server` serves as fallback for the offlined locator.
    
    Note: primary_kdc(the former master_kdc) doesn't help here because
    it is only used if the initial credentials obtaining fails (see
    `krb5_get_init_creds_password` in libkrb5) and not a password change.
    
    Fixes: https://pagure.io/freeipa/issue/8353
    Signed-off-by: Stanislav Levin <slev@altlinux.org>
    Reviewed-By: Francois Cami <fcami@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>