freeipa

Clone
Source Code
GIT

#6443 KdcProxy starts working in ~20 minutes after server installation
Closed: fixed 5 years ago by rcritten. Opened 7 years ago by ofayans.

Closed: fixed
Reopen Issue

If I configure the krb5 on a client to use KdcProxy of the ipa server immediately after master was installed the kinit fails with "Cannot contact any KDC for realm"
However, after 15-20 minutes delay the kinit starts to work
Steps to reproduce:
1. Setup master and client
2. On master block both tcp and udp port 88 (only for client's ip): 

iptables -A INPUT -p tcp -s %client_ip% --dport 88 -j DROP
iptables -A INPUT -p udp -s %client_ip% --dport 88 -j DROP

  1. On client edit /etc/krb5.conf and substitute both 'kdc' and 'master_kdc' values with

    https://%master_hostname%/KdcProxy

  2. Run kinit on client

  3. Wait 20 minutes and run kinit again
    Expected results:
    First kinit is successful
    Actual results:
    Only second kinit is successful

Have you checked on the server if all related components are fully started? Maybe one component has to wait on /dev/random because entropy is dired out after the installation?

Replying to [comment:2 sbose]:
As it turned out, plain restart of sssd on the client solves the issue. The test was updated and we need to not miss this part in the documentation

Makes sense. If a KDC proxy configuration is added while SSSD is running, SSSD must be restarted because the locator plugin must be disabled. This is done by SSSD automatically at restart when it finds a KDC proxy configuration in krb5.conf (or included files).

It is awesome that it works but in this case this ticket should be used for removing a workaround from integration test

sh$ git log -1 --oneline 
eb1f05d59 spec file: revert to the previous Release tag

sh$grep -C2 6443 ipatests/test_integration/test_http_kdc_proxy.py
                cls.master.hostname, paths.KRB5_CONF)
            )
        # Workaround for https://fedorahosted.org/freeipa/ticket/6443
        cls.clients[0].run_command(['systemctl', 'restart', 'sssd.service'])
        # End of workaround

Metadata Update from @ofayans:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

IMHO this is less a workaround than dealing with expected behavior. The configuration is changing so sssd needs to be restarted.

master: 503d092

I'm going to mark this as fixed.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
low
None
None
None
None
defect
None
None
IPA
None
None
None
no
None
None
0
None
Documentation update needed.
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.