1683578 – sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1683578 - sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]

Summary: sssd_krb5_locator_plugin introduces delay in cifs.upcall krb5 calls [rhel-7.6.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:
Depends On:	1672527
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-27 09:22 UTC by RAD team bot copy to z-stream
Modified:	2022-03-13 17:02 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1672527
Environment:
Last Closed:	2019-04-23 14:28:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4932	0	None	None	None	2020-05-04 11:08:44 UTC
Red Hat Product Errata	RHBA-2019:0816	0	None	None	None	2019-04-23 14:28:26 UTC

Description RAD team bot copy to z-stream 2019-02-27 09:22:28 UTC

This bug has been copied from bug #1672527 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 6 Niranjan Mallapadi Raghavender 2019-04-10 12:37:57 UTC

Reproducing the Issue:
=====================
sssd-libwbclient-1.16.2-13.el7.x86_64
sssd-krb5-common-1.16.2-13.el7.x86_64
sssd-ldap-1.16.2-13.el7.x86_64
sssd-proxy-1.16.2-13.el7.x86_64
sssd-tools-1.16.2-13.el7.x86_64
sssd-client-1.16.2-13.el7.x86_64
sssd-common-1.16.2-13.el7.x86_64
sssd-common-pac-1.16.2-13.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
sssd-dbus-1.16.2-13.el7.x86_64
sssd-1.16.2-13.el7.x86_64
sssd-kcm-1.16.2-13.el7.x86_64
python-sssdconfig-1.16.2-13.el7.noarch
sssd-ad-1.16.2-13.el7.x86_64
sssd-ipa-1.16.2-13.el7.x86_64

1. Configure sssd to use ldap provider and krb5 authentication For Users to login 

[sssd]
domains = sssd2016.com
config_file_version = 2
services = nss, pam

[domain/sssd2016.com]
krb5_realm = SSSD2016.COM
id_provider = ldap
chpass_provider = krb5
cache_credentials = True
ldap_uri = ldap://mars.sssd2016.com
ldap_search_base = DC=sssd2016,DC=COM
cache_credentials = False
ldap_referrals = False
id_provider = ldap
ldap_schema = ad
ldap_force_upper_case_realm = true
ldap_id_mapping = true
ldap_sasl_mech = gssapi
ldap_account_expire_policy = ad
ldap_use_tokengroups = true
auth_provider = krb5
ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
debug_level = 9

3. Cat /etc/krb5.conf
[root@sparks ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = SSSD2016.COM
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 SSSD2016.COM = {
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 sssd2016.com = SSSD2016.COM
 .sssd2016.com = SSSD2016.COM
[root@sparks ~]# 



2. Login as AD user using ssh so that kdcinfo.<DOMAIN> and kpasswd.<DOMAIN> files are created
under /var/lib/sss/pubconf

/var/lib/sss/pubconf
[root@sparks pubconf]# ll
total 8
-rw-r--r--. 1 root root 16 Apr 10 08:27 kdcinfo.SSSD2016.COM
-rw-r--r--. 1 root root 17 Apr 10 08:15 kpasswdinfo.SSSD2016.COM
drwxr-xr-x. 2 sssd sssd 87 Sep  5  2018 krb5.include.d


3. From another terminal as root user run the below kinit command

env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator

when prompted for password specify a wrong or no password to check if the port
464 

root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[27555] 1554898748.181016: Getting initial credentials for Administrator
[27555] 1554898748.181018: Sending unauthenticated request
[27555] 1554898748.181019: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898748.181020: Initiating TCP connection to stream 10.65.207.18:88
[27555] 1554898748.181021: Sending TCP request to stream 10.65.207.18:88
[27555] 1554898748.181022: Received answer (157 bytes) from stream 10.65.207.18:88
[27555] 1554898748.181023: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898748.181024: Response was not from master KDC
[27555] 1554898748.181025: Received error from KDC: -1765328359/Additional pre-authentication required
[27555] 1554898748.181028: Preauthenticating using KDC method data
[27555] 1554898748.181029: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[27555] 1554898748.181030: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[27555] 1554898751.324171: AS key obtained for encrypted timestamp: rc4-hmac/A247
[27555] 1554898751.324173: Encrypted timestamp (for 1554898751.707740): plain 301AA011180F32303139303431303132313931315AA10502030ACC9C, encrypted FC89D373AF3534165D28F2AE73E72B86214AEDEFEDBB216AB28508E87CA238A83A0EF767C10B1AC6E9FAE3605F88288D8865368C
[27555] 1554898751.324174: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[27555] 1554898751.324175: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[27555] 1554898751.324176: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898751.324177: Initiating TCP connection to stream 10.65.207.18:88
[27555] 1554898751.324178: Sending TCP request to stream 10.65.207.18:88
[27555] 1554898751.324179: Received answer (1526 bytes) from stream 10.65.207.18:88
[27555] 1554898751.324180: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27555] 1554898751.324181: Response was not from master KDC
[27555] 1554898751.324182: Salt derived from principal: SSSD2016.COMAdministrator
[27555] 1554898751.324183: AS key determined by preauth: rc4-hmac/A247
[27555] 1554898751.324184: Decrypted AS reply; session key is: aes256-cts/EF66
[27555] 1554898751.324185: FAST negotiation: unavailable
[27555] 1554898751.324186: Initializing KEYRING:persistent:0:0 with default princ Administrator
[27555] 1554898751.324187: Storing Administrator -> krbtgt/SSSD2016.COM in KEYRING:persistent:0:0
[27555] 1554898751.324188: Storing config in KEYRING:persistent:0:0 for krbtgt/SSSD2016.COM: pa_type: 2
[27555] 1554898751.324189: Storing Administrator -> krb5_ccache_conf_data/pa_type/krbtgt\/SSSD2016.COM\@SSSD2016.COM@X-CACHECONF: in KEYRING:persistent:0:0
[root@sparks ~]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[27556] 1554898759.377230: Getting initial credentials for Administrator
[27556] 1554898759.377232: Sending unauthenticated request
[27556] 1554898759.377233: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898759.377234: Initiating TCP connection to stream 10.65.207.18:88
[27556] 1554898759.377235: Sending TCP request to stream 10.65.207.18:88
[27556] 1554898759.377236: Received answer (157 bytes) from stream 10.65.207.18:88
[27556] 1554898759.377237: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898759.377238: Response was not from master KDC
[27556] 1554898759.377239: Received error from KDC: -1765328359/Additional pre-authentication required
[27556] 1554898759.377242: Preauthenticating using KDC method data
[27556] 1554898759.377243: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[27556] 1554898759.377244: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[27556] 1554898760.652839: AS key obtained for encrypted timestamp: rc4-hmac/4EE8
[27556] 1554898760.652841: Encrypted timestamp (for 1554898761.43279): plain 301AA011180F32303139303431303132313932315AA105020300A90F, encrypted 693DCFAEED27C776A547C57E0E3444F0801A0570D9EBDC14648BB96278A912FF810E8C65CE06DB72ADD90240DDF90033459ACF0E
[27556] 1554898760.652842: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[27556] 1554898760.652843: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[27556] 1554898760.652844: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898760.652845: Initiating TCP connection to stream 10.65.207.18:88
[27556] 1554898760.652846: Sending TCP request to stream 10.65.207.18:88
[27556] 1554898761.718373: Received answer (122 bytes) from stream 10.65.207.18:88
[27556] 1554898761.718374: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898761.718375: Response was not from master KDC
[27556] 1554898761.718376: Received error from KDC: -1765328360/Preauthentication failed
[27556] 1554898761.718379: Preauthenticating using KDC method data
[27556] 1554898761.718380: Processing preauth types: PA-ETYPE-INFO2 (19)
[27556] 1554898761.718381: Selected etype info: etype rc4-hmac, salt "", params ""
[27556] 1554898761.718382: Retrying AS request with master KDC
[27556] 1554898761.718383: Getting initial credentials for Administrator
[27556] 1554898761.718385: Sending unauthenticated request
[27556] 1554898761.718386: Sending request (200 bytes) to SSSD2016.COM (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:464] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[27556] 1554898761.718387: Initiating TCP connection to stream 10.65.207.18:464
[27556] 1554898761.718388: Sending TCP request to stream 10.65.207.18:464
[27556] 1554898762.200747: Terminating TCP connection to stream 10.65.207.18:464
[27556] 1554898762.200748: Sending initial UDP request to dgram 10.65.207.18:464
[27556] 1554898765.203935: Sending retry UDP request to dgram 10.65.207.18:464
[27556] 1554898770.209022: Sending retry UDP request to dgram 10.65.207.18:464
kinit: Password incorrect while getting initial credentials

As seen above sssd_krb5_locator plugin tries AD server on port 464 . 


Update the sssd to below versions:

sssd-ipa-1.16.2-13.el7_6.7.x86_64
sssd-proxy-1.16.2-13.el7_6.7.x86_64
sssd-client-1.16.2-13.el7_6.7.x86_64
python-sssdconfig-1.16.2-13.el7_6.7.noarch
sssd-common-1.16.2-13.el7_6.7.x86_64
sssd-common-pac-1.16.2-13.el7_6.7.x86_64
sssd-ad-1.16.2-13.el7_6.7.x86_64
sssd-krb5-1.16.2-13.el7_6.7.x86_64
sssd-1.16.2-13.el7_6.7.x86_64
sssd-krb5-common-1.16.2-13.el7_6.7.x86_64
sssd-ldap-1.16.2-13.el7_6.7.x86_64


Restart sssd and Run the above kinit command

[root@qe-blade-14 pubconf]# env SSSD_KRB5_LOCATOR_DEBUG=1 KRB5_TRACE=/dev/stdout kinit Administrator
[26280] 1554899579.642990: Getting initial credentials for Administrator
[26280] 1554899579.642992: Sending unauthenticated request
[26280] 1554899579.642993: Sending request (200 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899579.642994: Initiating TCP connection to stream 10.65.207.18:88
[26280] 1554899579.642995: Sending TCP request to stream 10.65.207.18:88
[26280] 1554899580.128031: Received answer (157 bytes) from stream 10.65.207.18:88
[26280] 1554899580.128032: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899580.128033: Response was from master KDC
[26280] 1554899580.128034: Received error from KDC: -1765328359/Additional pre-authentication required
[26280] 1554899580.128037: Preauthenticating using KDC method data
[26280] 1554899580.128038: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[26280] 1554899580.128039: Selected etype info: etype rc4-hmac, salt "", params ""
Password for Administrator:
[26280] 1554899582.293153: AS key obtained for encrypted timestamp: rc4-hmac/4EE8
[26280] 1554899582.293155: Encrypted timestamp (for 1554899582.204260): plain 301AA011180F32303139303431303132333330325AA1050203031DE4, encrypted 76CFD1F609AC0F1AB294F2CA5B04379C69960E3332B17E22CEB10709DD201BF5F06B2776F4ECE062225328CF514D10801A259B64
[26280] 1554899582.293156: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[26280] 1554899582.293157: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[26280] 1554899582.293158: Sending request (276 bytes) to SSSD2016.COM
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[2]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899582.293159: Initiating TCP connection to stream 10.65.207.18:88
[26280] 1554899582.293160: Sending TCP request to stream 10.65.207.18:88
[26280] 1554899582.293161: Received answer (122 bytes) from stream 10.65.207.18:88
[26280] 1554899582.293162: Terminating TCP connection to stream 10.65.207.18:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.65.207.18][88].
[sssd_krb5_locator] Found [10.65.207.18][464].
[sssd_krb5_locator] sssd_realm[SSSD2016.COM] requested realm[SSSD2016.COM] family[0] socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.65.207.18:88] family[2] socktype[1]
[sssd_krb5_locator] [10.65.207.18] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[26280] 1554899582.293163: Response was from master KDC
[26280] 1554899582.293164: Received error from KDC: -1765328360/Preauthentication failed
[26280] 1554899582.293167: Preauthenticating using KDC method data
[26280] 1554899582.293168: Processing preauth types: PA-ETYPE-INFO2 (19)
[26280] 1554899582.293169: Selected etype info: etype rc4-hmac, salt "", params ""
kinit: Password incorrect while getting initial credentials
[

As we can see sssd_krb5_locator plugin doesn't retry the AD server ip on port 464 and tries to connect on port 88.

Comment 8 errata-xmlrpc 2019-04-23 14:28:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0816

Note You need to log in before you can comment on or make changes to this bug.