Bug 180718

Summary: failure to find a master kdc masks an error returned from a non-master
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WORKSFORME QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-09 16:54:41 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 180671    
Bug Blocks: 150221    

Description Nalin Dahyabhai 2006-02-09 15:29:44 EST
+++ This bug was initially created as a clone of Bug #180671 +++

Description of problem:

The krb5 client library returns an unexpected error when a lookup fails:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Cannot find KDC for
requested realm.

When adding the following to the krb5.conf, the error message changes:

  master_kdc = kerberos.corp.redhat.com

The error returned is now this:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Client not found in
Kerberos database.

Version-Release number of selected component (if applicable):
krb5-devel-1.3.4-9

How reproducible:
100%

Steps to Reproduce:
Install the following krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 REDHAT.COM = {
  kdc = kerberos.boston.redhat.com:88
  admin_server = kerberos.corp.redhat.com:749
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Then, try to lookup a principal that doesn't exist, such as
host/segfault.boston.redhat.com@REDHAT.COM.  This can be reproduced by issuing
the following command on segfault:

$ kinit -k

If the following is specified, in the krb5.conf, then the "correct" error is
returned:

  master_kdc = kerberos.corp.redhat.com

$ kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials
Comment 1 Nalin Dahyabhai 2006-02-09 16:54:23 EST
Looks like I can't reproduce this on Raw Hide, after all.