Bug 180718 - failure to find a master kdc masks an error returned from a non-master
Summary: failure to find a master kdc masks an error returned from a non-master
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 180671
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2006-02-09 20:29 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-09 21:54:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-02-09 20:29:44 UTC 
+++ This bug was initially created as a clone of Bug #180671 +++

Description of problem:

The krb5 client library returns an unexpected error when a lookup fails:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Cannot find KDC for
requested realm.

When adding the following to the krb5.conf, the error message changes:

  master_kdc = kerberos.corp.redhat.com

The error returned is now this:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Client not found in
Kerberos database.

Version-Release number of selected component (if applicable):
krb5-devel-1.3.4-9

How reproducible:
100%

Steps to Reproduce:
Install the following krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 REDHAT.COM = {
  kdc = kerberos.boston.redhat.com:88
  admin_server = kerberos.corp.redhat.com:749
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Then, try to lookup a principal that doesn't exist, such as
host/segfault.boston.redhat.com.  This can be reproduced by issuing
the following command on segfault:

$ kinit -k

If the following is specified, in the krb5.conf, then the "correct" error is
returned:

  master_kdc = kerberos.corp.redhat.com

$ kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials
Comment 1 Nalin Dahyabhai 2006-02-09 21:54:23 UTC 
Looks like I can't reproduce this on Raw Hide, after all.
Note You need to log in before you can comment on or make changes to this bug.