Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=698724
+++ This bug was initially created as a clone of Bug #697057 +++ Description of problem: kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs. Version-Release number of selected component (if applicable): sssd-1.5.4-1.fc14 krb5-workstation-1.8.2-9.fc14 How reproducible: Almost every time, predictable. Steps to Reproduce: 1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC 2. Run 'kpasswd' as a user 3. Enter passwords Actual results: "kpasswd: Cannot contact any KDC for requested realm changing password" Expected results: kpasswd sends a change password request to the kadmin server. Additional info: kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works. If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail. The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty. /etc/sssd/sssd.conf contains: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True debug_level = 0 id_provider = ldap ldap_uri = ldaps://ldap-auth.mydomain ldap_id_use_start_tls = False ldap_search_base = dc=decisionsoft,dc=com chpass_provider = krb5 auth_provider = krb5 krb5_realm = MYREALM krb5_kpasswd = kerberos-master.mydomain krb5_server = kerberos.mydomain
Fixed by 5e88215
coverity: => description: https://bugzilla.redhat.com/show_bug.cgi?id=698724
{{{ +++ This bug was initially created as a clone of Bug #697057 +++
Description of problem: kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable): sssd-1.5.4-1.fc14 krb5-workstation-1.8.2-9.fc14
How reproducible: Almost every time, predictable.
Steps to Reproduce: 1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC 2. Run 'kpasswd' as a user 3. Enter passwords
Actual results: "kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results: kpasswd sends a change password request to the kadmin server.
Additional info: kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
/etc/sssd/sssd.conf contains: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True debug_level = 0 id_provider = ldap ldap_uri = ldaps://ldap-auth.mydomain ldap_id_use_start_tls = False ldap_search_base = dc=decisionsoft,dc=com chpass_provider = krb5 auth_provider = krb5 krb5_realm = MYREALM krb5_kpasswd = kerberos-master.mydomain krb5_server = kerberos.mydomain }}} => https://bugzilla.redhat.com/show_bug.cgi?id=698724
/etc/sssd/sssd.conf contains: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True debug_level = 0 id_provider = ldap ldap_uri = ldaps://ldap-auth.mydomain ldap_id_use_start_tls = False ldap_search_base = dc=decisionsoft,dc=com chpass_provider = krb5 auth_provider = krb5 krb5_realm = MYREALM krb5_kpasswd = kerberos-master.mydomain krb5_server = kerberos.mydomain }}}
patch: => 1 resolution: => fixed rhbz: => status: new => closed tests: => 0 testsupdated: => 0 upgrade: => 0
Fields changed
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=698724 698724]
Metadata Update from @sgallagh: - Issue set to the milestone: SSSD 1.5.9
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2065
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.