Bug 880546

Summary: krb5_kpasswd failover doesn't work
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: grajaiya, jgalipea, okos, pbrezina
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-41.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:41:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 888457    

Description Kaushik Banerjee 2012-11-27 09:56:44 UTC 
Description of problem:
krb5_kpasswd failover doesn't work

Version-Release number of selected component (if applicable):
sssd-1.9.2-25.el6

How reproducible:
Always

Steps to Reproduce:
1. domain section of sssd.conf includes:
auth_provider = krb5
krb5_server = kdc.example.com:12345,kdc.example.com:88
krb5_kpasswd = kdc.example.com:12345,kdc.example.com:464

2. Try to login and change the user's password
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Tue Nov 27 14:46:43 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
-sh-4.1$

  
Actual results:
Password change fails as sssd is unable to failover.

/var/log/secure shows:
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info: [Cannot contact any KDC for requested realm]
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change failed for user puser1: 22 (Authentication token lock busy)

/var/log/sssd/sssd_domain.log shows:
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response] (0x1000): child response [22][1][43].
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_fo_set_port_status] (0x0040): The server (nil) is not valid anymore, cannot set its status
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000): Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000): Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process] (0x0040): The fail over cycled through all available servers
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_done] (0x1000): Server resolution failed: 2
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000): Wait queue for user [puser1] is empty.
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 22, <NULL>) [Success]

Expected results:
krb5_kpasswd failover should work.

Additional info:
Comment 2 Jakub Hrozek 2012-11-29 17:19:50 UTC 
Michal could reproduce.
Comment 3 Jakub Hrozek 2012-11-29 17:23:27 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1680
Comment 6 Kaushik Banerjee 2012-12-31 08:06:26 UTC 
Verified in version 1.9.2-59

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-krb5_kpasswd_001 Server1 down, Server2 online
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Stopping KDC and KADMIND on SERVER1 and sleeping for 1 second
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Starting KDC and KADMIND on SERVER1 and sleeping for 5 seconds
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-krb5_kpasswd_001 Server1 down, Server2 online

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-krb5_kpasswd_002 Failover with single server different ports
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-krb5_kpasswd_002 Failover with single server different ports
Comment 7 errata-xmlrpc 2013-02-21 09:41:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html