Bug 180718 - failure to find a master kdc masks an error returned from a non-master
failure to find a master kdc masks an error returned from a non-master
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
rawhide
All Linux
medium Severity low
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On: 180671
Blocks: FC5Target
  Show dependency treegraph
 
Reported: 2006-02-09 15:29 EST by Nalin Dahyabhai
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-09 16:54:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2006-02-09 15:29:44 EST
+++ This bug was initially created as a clone of Bug #180671 +++

Description of problem:

The krb5 client library returns an unexpected error when a lookup fails:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Cannot find KDC for
requested realm.

When adding the following to the krb5.conf, the error message changes:

  master_kdc = kerberos.corp.redhat.com

The error returned is now this:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Client not found in
Kerberos database.

Version-Release number of selected component (if applicable):
krb5-devel-1.3.4-9

How reproducible:
100%

Steps to Reproduce:
Install the following krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 REDHAT.COM = {
  kdc = kerberos.boston.redhat.com:88
  admin_server = kerberos.corp.redhat.com:749
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Then, try to lookup a principal that doesn't exist, such as
host/segfault.boston.redhat.com@REDHAT.COM.  This can be reproduced by issuing
the following command on segfault:

$ kinit -k

If the following is specified, in the krb5.conf, then the "correct" error is
returned:

  master_kdc = kerberos.corp.redhat.com

$ kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials
Comment 1 Nalin Dahyabhai 2006-02-09 16:54:23 EST
Looks like I can't reproduce this on Raw Hide, after all.

Note You need to log in before you can comment on or make changes to this bug.