Bug 2033347

Summary: sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
Product: Red Hat Enterprise Linux 8 Reporter: Nikhil Suryawanshi <nsuryawa>
Component: sssdAssignee: Tomas Halman <thalman>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.5CC: abroy, atikhono, grajaiya, jhrozek, kbanerje, lslebodn, mzidek, pbrezina, peter.vreman, rakkumar, rouven, suwu, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.0-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:51:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikhil Suryawanshi 2021-12-16 15:18:10 UTC 
Description of problem:

Authentication for AD users works but a backtrace has been triggered due to below error message:

[write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.

Version-Release number of selected component (if applicable):

sssd version : 2.5.2-2.el8_5.1.x86_64
Comment 2 Alexey Tikhonov 2021-12-16 19:16:47 UTC 
Comments from Sumit:

```
I think it might be possible to reach the error message in the AD
provider if only a Global Catalog server is in the server list and this
is filtered out. This might happen after some inactivity where
connections are closed and a new request triggers at first a Global
catalog lookup.
```

```
Global Catalog servers can come from any domain in the forest and
for the kdcinfo file for domainA  we only want KDCs from domainA to be
present.

But there should be a special failover service (AD_GC) for the Global Catalog
servers. For this service the AD provider should not try to create the
kdcinfo files at all.

Tomas, can you check if this is the case (AD provider tries to create a
kdcinfo file when the failover service is AD_GC) and if yes add code to
skip it?
```
Comment 4 Tomas Halman 2022-01-18 17:08:07 UTC 
Upstream issue https://github.com/SSSD/sssd/issues/5956
Comment 5 Tomas Halman 2022-01-19 08:39:05 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/5957
Comment 7 Alexey Tikhonov 2022-01-25 11:50:36 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5957

* `master`
    * 2b0bd0b30b7d12f77a5f37d0ad676c482901faec - ad: do not write kdc info file for GC lookup
Comment 8 Rouven Sacha 2022-01-28 11:36:19 UTC 
I can see the issue also on current Redhat Beta 9 with sssd 2.6.1-1.el9
Comment 11 Alexey Tikhonov 2022-04-07 14:06:36 UTC 
*** Bug 2063224 has been marked as a duplicate of this bug. ***
Comment 27 errata-xmlrpc 2022-11-08 10:51:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739