Description of problem: LDAP provider forks out a child process to make its kinit request. However, when the child attempts to perform the kinit, it's getting an error from libkrb5 saying that it cannot find a KDC for the realm. (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [sdap_kinit_send] (6): Attempting kinit (/etc/krb5.keytab, spn/host@DOMAIN, DOMAIN, 86400) (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [create_tgt_req_send_buffer] (7): buffer size: 69 (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [set_tgt_child_timeout] (6): Setting 6 seconds timeout for tgt child (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [write_pipe_handler] (6): All data has been sent! (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [read_pipe_handler] (6): EOF received, client finished (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Bad address] (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address] (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [fo_set_port_status] (4): Marking port 389 of server 'SERVER' as 'not working' (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [sdap_check_gssapi_reconnect] (7): Client principal name is: [spn/host@DOMAIN] (Thu Aug 5 13:03:03 2010) [sssd[be[D]]] [sdap_check_gssapi_reconnect] (1): krb5_cc_retrieve_cred failed. Aug 5 13:20:59 slabstb249 [sssd[ldap_child[1947]]]: Failed to initialize credentials using keytab [/etc/krb5.keytab]: Cannot find KDC for requested realm. Unable to create GSSAPI-encrypted LDAP connection. Version-Release number of selected component (if applicable): 1.2.2
Here is the relevant sssd configuration section: [domain/MYDOMAIN] debug_level = 7 min_id = 500 enumerate = true id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldapserver.mydomain ldap_schema = rfc2307bis ldap_user_search_base = dc=mydomain,dc=mytld ldap_group_search_base = dc=d,dc=mydomain,dc=mytld tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt ldap_sasl_mech = gssapi ldap_sasl_authid = spn/host@MYDOMAIN ldap_krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400 ldap_force_upper_case_realm = True ldap_user_home_directory = unixHomeDirectory ldap_user_shell = LoginShell ldap_user_object_class = person ldap_group_object_class = group auth_provider = krb5 krb5_kdcip = mykdc krb5_realm = MYDOMAIN krb5_changepw_principle = kadmin/changepw krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15
Would you mind setting SSSD_KRB5_LOCATOR_DEBUG=1 and running SSSD interactively (sssd -i -d 9)? You should see some extra debug messages from the locator plugin that tells libkrb which KDCs to use. Also the logs you posted indicate that the realm is "DOMAIN" but the example config says "MYDOMAIN", I take that is just a result of sanitizing logs and config file in two different ways?
yup, sorry. it's just an result of sanitizing the logs.
Please provide the debug logs as mentioned in comment #2.
Here is the relevant logfile output: (Fri Aug 6 09:17:31 2010) [sssd] [main] (7): ldap_child started. (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): total buffer size: 69 (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): realm_str size: 9 (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got realm_str: MYDOMAIN (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): princ_str size: 28 (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got princ_str: spn/host@MYDOMAIN (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): keytab_name size: 16 (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got keytab_name: /etc/krb5.keytab (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): lifetime: 86400 (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [ldap_child_get_tgt_sync] (4): Principal name is: [spn/host@MYDOMAIN] [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] open failed [2][No such file or directory]. [sssd_krb5_locator] get_krb5info failed. [sssd_krb5_locator] sssd_krb5_locator_close called (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Cannot find KDC for requested realm (Fri Aug 6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [main] (1): ldap_child_get_tgt_sync failed. (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [read_pipe_handler] (6): EOF received, client finished (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Bad address] (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Ungültige Adresse] (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [fo_set_port_status] (4): Marking port 389 of server 'server.mydomain' as 'not working' (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_check_gssapi_reconnect] (7): Client principal name is: [spn/d.ethz.ch@MYDOMAIN] (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_check_gssapi_reconnect] (1): krb5_cc_retrieve_cred failed. (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [be_run_offline_cb] (3): Going offline. Running callbacks. (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [ldap_id_enum_users_done] (1): Failed to enumerate users, retrying later! (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [ldap_id_enumerate_set_timer] (6): Scheduling next enumeration at 1281079351.1615020 (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [child_sig_handler] (7): Waiting for child [1942]. (Fri Aug 6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [child_sig_handler] (4): child [1942] finished successfully. (Fri Aug 6 09:17:32 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kdcinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden] (Fri Aug 6 09:17:32 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden] (Fri Aug 6 09:17:34 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kdcinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden] (Fri Aug 6 09:17:34 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden] (Fri Aug 6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service MYDOMAIN(1939) is still alive (Fri Aug 6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging MYDOMAIN (Fri Aug 6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): 0x91857b8 (Fri Aug 6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service nss(1940) is still alive (Fri Aug 6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging nss (Fri Aug 6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): 0x9194a70 (Fri Aug 6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service pam(1941) is still alive (Fri Aug 6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging pam (Fri Aug 6 09:17:41 2010) [sssd[nss]] [sbus_dispatch] (9): (Fri Aug 6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): dbus conn: 978FF58 0x9183c20 (Fri Aug 6 09:17:41 2010) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
I think I have found the issue - we don't create the kdcinfo file for the krb5 plugin when using LDAP provider with GSSAPI. Marcus, one more question to be sure - you did *not* create the realm and KDCs in /etc/krb5.conf, correct?
(In reply to comment #6) > Marcus, one more question to be sure - you did *not* create the realm and KDCs > in /etc/krb5.conf, correct? Sorry, poor wording, that should have read "...did not specify the realm and KDCs..."
Jakub, can you please tell us whether this can be easily fixed manually and / or is fixed in a newer release?
(In reply to comment #8) > Jakub, can you please tell us whether this can be easily fixed manually and / > or is fixed in a newer release? The workaround is to specify the KDC and realm manually in /etc/krb5.conf It is not fixed in a released sssd version yet, it will be fixed in the upcoming sssd-1.4 release (due end of September).
Ok, thanks. Strange though: I'm testing the second beta of RHEL6 and I had the realm and kdc's in /etc/krb5.conf, but still sssd failed with the same errors as specified above. Installing the most recent F13 version fixed things.
(In reply to comment #10) > Ok, thanks. > > Strange though: I'm testing the second beta of RHEL6 and I had the realm and > kdc's in /etc/krb5.conf, but still sssd failed with the same errors as > specified above. > > Installing the most recent F13 version fixed things. Hm, this indeed sounds strange..the whole problem is that SSSD does not fetch the KDC and realm data into libkrb. Specifying them in krb5.conf should do the trick. Nalin, do you have any suggestion? Are there any differences between RHEL6b2 and F13 in this behaviour?
(In reply to comment #10) > Ok, thanks. > > Strange though: I'm testing the second beta of RHEL6 and I had the realm and > kdc's in /etc/krb5.conf, but still sssd failed with the same errors as > specified above. Can you tell us the exact version of sssd in RHEL6 you're talking about? There was a version that had that issue, but I don't remember if we fixed it before or after the beta 2 cutoff.
It's sssd-1.2.0-12.el6.x86_64
Ok, that's what I thought. That was a known issue that was fixed in 1.2.1 and should be included in the final release of RHEL6.