Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionThorsten Scherf
2017-12-14 12:21:27 UTC
Description of problem:
IdM with AD forest trust and kdcproxy enabled on IdM server.
In case trusted AD users try to access resources in the IdM domain, authentication requests might be sent to the kdcproxy running on the IdM server (using https) and from there the requests are forwarded to the AD KDCs using default Kerberos dst port 88/tcp and/or 88/udp. The kdcproxy tries to connect to all known AD KDCs. In case some of those KDCs are not reachable, (because of network filtering or other reasons), kdcproxy produces an error like the following one:
[Wed Nov 29 15:05:56.340762 2017] [:error] [pid 21339] ERROR:root:Error in recv() of <socket._socketobject object at 0x560cc3f80fa0>
[Wed Nov 29 15:05:56.340777 2017] [:error] [pid 21339] Traceback (most recent call last):
[Wed Nov 29 15:05:56.340782 2017] [:error] [pid 21339] File "/usr/lib/python2.7/site-packages/kdcproxy/__init__.py", line 100, in __await_reply
[Wed Nov 29 15:05:56.340787 2017] [:error] [pid 21339] sock.sendall(pr.request)
[Wed Nov 29 15:05:56.340791 2017] [:error] [pid 21339] File "/usr/lib64/python2.7/socket.py", line 224, in meth
[Wed Nov 29 15:05:56.340795 2017] [:error] [pid 21339] return getattr(self._sock,name)(*args)
[Wed Nov 29 15:05:56.340799 2017] [:error] [pid 21339] error: [Errno 32] Broken pipe
[Wed Nov 29 15:05:56.341031 2017] [:error] [pid 21339] ERROR:root:Error in recv() of <socket._socketobject object at 0x560cc4004e50>
[Wed Nov 29 15:05:56.341048 2017] [:error] [pid 21339] [Wed Nov 29 15:51:18.116347 2017] [mpm_prefork:notice] [pid 21333] AH00170: caught SIGWINCH, shutting down gracefully
In case a lot of trusted AD users are trying to login, this error can easily fill up the httpd error log and also quickly utilize all the available disk space which can lead to other problems (like httpd shutdown as seen above).
The RfE is to put some logic into kdcproxy to keep track of all KDCs which are not reachable to not send any auth requests to those servers until they are available again.
Version-Release number of selected component (if applicable):
gssproxy-0.7.0-4.el7.x86_64
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
We can do two things:
* Make the error message less verbose but more useful when it's a connection error or broken pipe. We shouldn't dump a stack trace or print an error. IMO a single-line warning message is sufficient. It's only an error when we cannot reach any KDC. The connection / pipe error should also contain the name or IP address of the peer. At the moment the message is pretty much useless to diagnose the issue.
* Implement https://github.com/latchset/kdcproxy/pull/22. It adds a mechanism to temporarily ignore broken KDCs / DCs.
Comment 5Florence Blanc-Renaud
2018-01-17 12:24:34 UTC
*** Bug 1523657 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2062