Principal canonicalization does not work for own realm:
$ KRB5_TRACE=/dev/stderr kinit -C admin@f21.test [31948] 1421403750.682046: Getting initial credentials for admin@f21.test [31948] 1421403750.683696: Sending request (157 bytes) to f21.test [31948] 1421403750.684576: Resolving hostname master.f21.test. [31948] 1421403750.685294: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.686131: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.686295: Response was from master KDC [31948] 1421403750.686349: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.686386: Following referral to realm f21.test [31948] 1421403750.686435: Sending request (157 bytes) to f21.test [31948] 1421403750.686691: Resolving hostname master.f21.test. [31948] 1421403750.686929: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.687412: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.687564: Response was from master KDC [31948] 1421403750.687616: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.687658: Following referral to realm f21.test [31948] 1421403750.687697: Sending request (157 bytes) to f21.test [31948] 1421403750.687941: Resolving hostname master.f21.test. [31948] 1421403750.688136: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.688519: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.688687: Response was from master KDC [31948] 1421403750.688721: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.688740: Following referral to realm f21.test [31948] 1421403750.688771: Sending request (157 bytes) to f21.test [31948] 1421403750.689003: Resolving hostname master.f21.test. [31948] 1421403750.689176: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.689526: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.689700: Response was from master KDC [31948] 1421403750.689751: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.689786: Following referral to realm f21.test [31948] 1421403750.689832: Sending request (157 bytes) to f21.test [31948] 1421403750.690092: Resolving hostname master.f21.test. [31948] 1421403750.690280: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.690669: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.690830: Response was from master KDC [31948] 1421403750.690891: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.690954: Following referral to realm f21.test [31948] 1421403750.691017: Sending request (157 bytes) to f21.test [31948] 1421403750.691246: Resolving hostname master.f21.test. [31948] 1421403750.691420: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.691790: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.691932: Response was from master KDC [31948] 1421403750.691986: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.692008: Following referral to realm f21.test [31948] 1421403750.692048: Sending request (157 bytes) to f21.test [31948] 1421403750.692246: Resolving hostname master.f21.test. [31948] 1421403750.692414: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.692792: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.692933: Response was from master KDC [31948] 1421403750.692989: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.693049: Following referral to realm f21.test [31948] 1421403750.693119: Sending request (157 bytes) to f21.test [31948] 1421403750.693335: Resolving hostname master.f21.test. [31948] 1421403750.693524: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.693922: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.694118: Response was from master KDC [31948] 1421403750.694153: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.694172: Following referral to realm f21.test [31948] 1421403750.694202: Sending request (157 bytes) to f21.test [31948] 1421403750.694399: Resolving hostname master.f21.test. [31948] 1421403750.694567: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.694934: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.695095: Response was from master KDC [31948] 1421403750.695138: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.695157: Following referral to realm f21.test [31948] 1421403750.695188: Sending request (157 bytes) to f21.test [31948] 1421403750.695385: Resolving hostname master.f21.test. [31948] 1421403750.695553: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.695899: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.696055: Response was from master KDC [31948] 1421403750.696115: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.696134: Following referral to realm f21.test [31948] 1421403750.696164: Sending request (157 bytes) to f21.test [31948] 1421403750.696393: Resolving hostname master.f21.test. [31948] 1421403750.696563: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.696908: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.697047: Response was from master KDC [31948] 1421403750.697101: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.697126: Following referral to realm f21.test [31948] 1421403750.697157: Sending request (157 bytes) to f21.test [31948] 1421403750.697363: Resolving hostname master.f21.test. [31948] 1421403750.697544: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.697919: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.698080: Response was from master KDC [31948] 1421403750.698178: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.698246: Following referral to realm f21.test [31948] 1421403750.698287: Sending request (157 bytes) to f21.test [31948] 1421403750.698484: Resolving hostname master.f21.test. [31948] 1421403750.698673: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.699017: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.699194: Response was from master KDC [31948] 1421403750.699255: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.699290: Following referral to realm f21.test [31948] 1421403750.699336: Sending request (157 bytes) to f21.test [31948] 1421403750.699562: Resolving hostname master.f21.test. [31948] 1421403750.699781: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.700106: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.700270: Response was from master KDC [31948] 1421403750.700304: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.700323: Following referral to realm f21.test [31948] 1421403750.700353: Sending request (157 bytes) to f21.test [31948] 1421403750.700554: Resolving hostname master.f21.test. [31948] 1421403750.700747: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.701075: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.701234: Response was from master KDC [31948] 1421403750.701268: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.701298: Following referral to realm f21.test [31948] 1421403750.701328: Sending request (157 bytes) to f21.test [31948] 1421403750.701523: Resolving hostname master.f21.test. [31948] 1421403750.701767: Sending initial UDP request to dgram 192.168.5.169:88 [31948] 1421403750.702095: Received answer (161 bytes) from dgram 192.168.5.169:88 [31948] 1421403750.702266: Response was from master KDC [31948] 1421403750.702300: Received error from KDC: -1765328378/Client not found in Kerberos database [31948] 1421403750.702319: Following referral to realm f21.test kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials
Simo volunteered for the initial research. Moving to 4.1.3 and marking as critical until we know more.
Talked with MIT and we concluded this is a bug in recent kinit: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8060
I sent a patch, pull request is here: https://github.com/krb5/krb5/pull/243
We should probably open a bugzilla against krb5 and backport anywhere we landed 1.12.2/1.13
Thanks. Do I understood it correctly that there is still a bug in our KDC driver that it does not support canonicalization? Or the krb5 patch will fix that?
We still have a problem with canonicalization in the KDB, but the patch at least fixes looping.
For 7.1 we should get only the krb5 fixes. The IPA fixes need to be deferred to the next release as they'll require some well thought decisions on how to handle canonicalization at the LDAP level.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1184628
4.1.3 was released.
4.1.4 was released, moving to new milestone
Moving tickets as per freeipa-devel message.
moving to
more info: http://www.redhat.com/archives/freeipa-devel/2015-August/msg00141.html
According to sbose, the looping was fixed some time ago. Rest was implemented in Kerberos aliases tickets. #3864 #3961 #5413 #4421
Metadata Update from @abbra: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.