Created attachment 1104320 [details]
Description of problem:
If user configures krb5.conf with kdcproxy, and tries to change password using 'kpasswd' then fails with error
kpasswd: Cannot contact any KDC for requested realm changing password
See attachment for log
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. On Server install using ipa-server-install
2. On Client machine, install ipa-client
3. Configure client to use IPA server using ipa-client-install
4. Configure krb5.conf for using 'KdcProxy'
5. Do 'kpasswd'
Password change procedure fails
Password should be changed from client machine.
kpasswd cannot change the password because it connects to the wrong TCP port. Instead of port 443/TCP it uses 464/TCP (kpasswd port):
 1449752052.476728: Resolving hostname vm-239.abc.idm.lab.eng.brq.redhat.com
 1449752052.488004: TLS error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
 1449752052.488140: HTTPS error sending to https 10.34.78.239:464
 1449752052.489039: Terminating TCP connection to https 10.34.78.239:464
It looks like krb5_change_password() doesn't implement the necessary checks for HTTPS transport. change_set_password() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L207 calls locate_kpasswd() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/changepw.c#L61 which uses k5_locate_server() https://github.com/krb5/krb5/blob/master/src/lib/krb5/os/locate_kdc.c#L639 to find the kpasswd server. k5_locate_server() either uses TCP or TCP_OR_UDP transport but never HTTPS transport.
Doesn't kdcproxy require you to configure kpasswd currently as per the documentation https://github.com/npmccallum/kdcproxy ? This seems like something IPA should set up. What do you think Christian?
You are right. I thought that admin_server is enough. Apparently it's not. kpasswd works correctly with a kpasswd_server entry. In case only an admin_server is configured, libkrb5 seems to ignore port and protocol. It takes the host name, adds port 464 and then connects to it.
Points to the server where all the password changes are performed. If there is no such entry, the port 464 on the admin_server host will be tried.