Bug 1287807
| Summary: | SRV lookup for KDC servers doesn't work | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Brian Nelson <brinel+redhat> |
| Component: | sssd | Assignee: | Petr Čech <pcech> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | CC: | dlavu, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl, sgoveas |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.13.3-5.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-10 20:25:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Brian Nelson
2015-12-02 17:56:48 UTC
In addition, even using something like this: krb5_server = _srv_,fqdn.of.kdc Doesn't work AT ALL. It doesn't even fail over to the specified server. The SRV problem causes kerberos to go offline completely. Upstream ticket: https://fedorahosted.org/sssd/ticket/2888 Assigning BZ to the same owner as the ticket.. Fixed upstream:
master: 684191e61d891b1c34f3742a40d5a2ed6a1192dd
sssd-1-13: dd5a52db9653d83bef26da468157c216df45f715
Verified against sssd-client-1.13.3-19.el6.x86_64, SRV records resolve fine. #### Config [sssd] config_file_version = 2 services = nss, pam domains = domain.com [nss] default_shell = /bin/bash [domain/domain.com] debug_level = 9 id_provider = ad ad_domain = domain.com auth_provider = krb5 krb5_server = _srv_ krb5_realm = DOMAIN.COM cache_credentials = True krb5_store_password_if_offline = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u ad_gpo_access_control = permissive access_provider = ad #### Logs (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [ad_get_client_site_done] (0x0040): Unable to retrieve site name [2]: No such file or directory (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'KERBEROS'. Will use DNS discovery domain 'domain.com' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.domain.com' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_getsrv_done] (0x1000): Using TTL [600] (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_discover_srv_done] (0x0400): Got 2 servers (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_discover_servers_primary_done] (0x0400): No backup domain specified (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [ad_srv_plugin_servers_done] (0x0400): Got 2 primary and 0 backup servers (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'ad2.domain.com:88' to service 'KERBEROS' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'ad1.domain.com:88' to service 'KERBEROS' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'resolved' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.domain.com' is 'name not resolved' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_is_address] (0x4000): [ad2.domain.com] does not look like an IP address (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ad2.domain.com' in files (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [set_server_common_status] (0x0100): Marking server 'ad2.domain.com' as 'resolving name' (Mon Mar 21 10:55:44 2016) [sssd[be[domain.com]]] [resolv_gethostbyname_step] (0x2000): Querying files Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0782.html |