Bug 621541 - Failed to init credentials
Failed to init credentials
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Jakub Hrozek
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 621963
  Show dependency treegraph
 
Reported: 2010-08-05 08:40 EDT by Marcus Moeller
Modified: 2010-11-09 11:39 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 621963 (view as bug list)
Environment:
Last Closed: 2010-11-09 11:39:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Marcus Moeller 2010-08-05 08:40:26 EDT
Description of problem:
LDAP provider forks out a child process to make its kinit request. However, when the child attempts to perform the kinit, it's getting an error from libkrb5 saying that it cannot find a KDC for the realm.

(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [sdap_kinit_send] (6): Attempting kinit (/etc/krb5.keytab, spn/host@DOMAIN, DOMAIN, 86400)
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [create_tgt_req_send_buffer] (7): buffer size: 69
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [set_tgt_child_timeout] (6): Setting 6 seconds timeout for tgt child
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [write_pipe_handler] (6): All data has been sent!
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [read_pipe_handler] (6): EOF received, client finished
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Bad address]
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Bad address]
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [fo_set_port_status] (4): Marking port 389 of server 'SERVER' as 'not working'
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [sdap_check_gssapi_reconnect] (7): Client principal name is: [spn/host@DOMAIN]
(Thu Aug  5 13:03:03 2010) [sssd[be[D]]] [sdap_check_gssapi_reconnect] (1): krb5_cc_retrieve_cred failed.

Aug  5 13:20:59 slabstb249 [sssd[ldap_child[1947]]]: Failed to initialize credentials using keytab [/etc/krb5.keytab]: Cannot find KDC for requested realm. Unable to create GSSAPI-encrypted LDAP connection.

Version-Release number of selected component (if applicable):
1.2.2
Comment 1 Marcus Moeller 2010-08-05 08:43:32 EDT
Here is the relevant sssd configuration section:

[domain/MYDOMAIN]
debug_level = 7
min_id = 500
enumerate = true
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://ldapserver.mydomain
ldap_schema = rfc2307bis
ldap_user_search_base = dc=mydomain,dc=mytld
ldap_group_search_base = dc=d,dc=mydomain,dc=mytld
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_sasl_mech = gssapi
ldap_sasl_authid = spn/host@MYDOMAIN
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
ldap_force_upper_case_realm = True
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = LoginShell
ldap_user_object_class = person
ldap_group_object_class = group

auth_provider = krb5
krb5_kdcip = mykdc
krb5_realm = MYDOMAIN
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
Comment 2 Jakub Hrozek 2010-08-05 09:44:35 EDT
Would you mind setting SSSD_KRB5_LOCATOR_DEBUG=1 and running SSSD interactively (sssd -i -d 9)? You should see some extra debug messages from the locator plugin that tells libkrb which KDCs to use.

Also the logs you posted indicate that the realm is "DOMAIN" but the example config says "MYDOMAIN", I take that is just a result of sanitizing logs and config file in two different ways?
Comment 3 Marcus Moeller 2010-08-05 11:03:32 EDT
yup, sorry. it's just an result of sanitizing the logs.
Comment 4 Dmitri Pal 2010-08-05 13:58:44 EDT
Please provide the debug logs as mentioned in comment #2.
Comment 5 Marcus Moeller 2010-08-06 03:21:04 EDT
Here is the relevant logfile output:

(Fri Aug  6 09:17:31 2010) [sssd] [main] (7): ldap_child started.
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): total buffer size: 69
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): realm_str size: 9
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got realm_str: MYDOMAIN
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): princ_str size: 28
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got princ_str: spn/host@MYDOMAIN
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): keytab_name size: 16
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): got keytab_name: /etc/krb5.keytab
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [unpack_buffer] (7): lifetime: 86400
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [ldap_child_get_tgt_sync] (4): Principal name is: [spn/host@MYDOMAIN]
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [ldap_child_get_tgt_sync] (0): Failed to init credentials: Cannot find KDC for requested realm
(Fri Aug  6 09:17:31 2010) [[sssd[ldap_child[1942]]]] [main] (1): ldap_child_get_tgt_sync failed.
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [read_pipe_handler] (6): EOF received, client finished
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_get_tgt_recv] (6): Child responded: 14 [Bad address]
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_kinit_done] (4): Could not get TGT: 14 [Ungültige Adresse]
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [fo_set_port_status] (4): Marking port 389 of server 'server.mydomain' as 'not working'
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_check_gssapi_reconnect] (7): Client principal name is: [spn/d.ethz.ch@MYDOMAIN]
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [sdap_check_gssapi_reconnect] (1): krb5_cc_retrieve_cred failed.
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [be_run_offline_cb] (3): Going offline. Running callbacks.
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [ldap_id_enum_users_done] (1): Failed to enumerate users, retrying later!
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [ldap_id_enumerate_set_timer] (6): Scheduling next enumeration at 1281079351.1615020
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [child_sig_handler] (7): Waiting for child [1942].
(Fri Aug  6 09:17:31 2010) [sssd[be[MYDOMAIN]]] [child_sig_handler] (4): child [1942] finished successfully.
(Fri Aug  6 09:17:32 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kdcinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden]
(Fri Aug  6 09:17:32 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden]
(Fri Aug  6 09:17:34 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kdcinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden]
(Fri Aug  6 09:17:34 2010) [sssd[be[MYDOMAIN]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.MYDOMAIN], [2][Datei oder Verzeichnis nicht gefunden]
(Fri Aug  6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service MYDOMAIN(1939) is still alive
(Fri Aug  6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging MYDOMAIN
(Fri Aug  6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): 0x91857b8
(Fri Aug  6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service nss(1940) is still alive
(Fri Aug  6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging nss
(Fri Aug  6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): 0x9194a70
(Fri Aug  6 09:17:41 2010) [sssd] [service_check_alive] (4): Checking service pam(1941) is still alive
(Fri Aug  6 09:17:41 2010) [sssd] [service_send_ping] (4): Pinging pam
(Fri Aug  6 09:17:41 2010) [sssd[nss]] [sbus_dispatch] (9): (Fri Aug  6 09:17:41 2010) [sssd] [sbus_add_timeout] (8): dbus conn: 978FF58
0x9183c20
(Fri Aug  6 09:17:41 2010) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
Comment 6 Jakub Hrozek 2010-08-06 12:08:32 EDT
I think I have found the issue - we don't create the kdcinfo file for the krb5 plugin when using LDAP provider with GSSAPI.

Marcus, one more question to be sure - you did *not* create the realm and KDCs in /etc/krb5.conf, correct?
Comment 7 Jakub Hrozek 2010-08-06 12:10:44 EDT
(In reply to comment #6)
> Marcus, one more question to be sure - you did *not* create the realm and KDCs
> in /etc/krb5.conf, correct?

Sorry, poor wording, that should have read "...did not specify the realm and KDCs..."
Comment 8 Maxim Burgerhout 2010-08-26 07:58:49 EDT
Jakub, can you please tell us whether this can be easily fixed manually and / or is fixed in a newer release?
Comment 9 Jakub Hrozek 2010-08-26 08:18:50 EDT
(In reply to comment #8)
> Jakub, can you please tell us whether this can be easily fixed manually and /
> or is fixed in a newer release?

The workaround is to specify the KDC and realm manually in /etc/krb5.conf

It is not fixed in a released sssd version yet, it will be fixed in the upcoming sssd-1.4 release (due end of September).
Comment 10 Maxim Burgerhout 2010-08-26 08:42:38 EDT
Ok, thanks.

Strange though: I'm testing the second beta of RHEL6 and I had the realm and kdc's in /etc/krb5.conf, but still sssd failed with the same errors as specified above.

Installing the most recent F13 version fixed things.
Comment 11 Jakub Hrozek 2010-08-26 09:01:18 EDT
(In reply to comment #10)
> Ok, thanks.
> 
> Strange though: I'm testing the second beta of RHEL6 and I had the realm and
> kdc's in /etc/krb5.conf, but still sssd failed with the same errors as
> specified above.
> 
> Installing the most recent F13 version fixed things.

Hm, this indeed sounds strange..the whole problem is that SSSD does not fetch the KDC and realm data into libkrb. Specifying them in krb5.conf should do the trick.

Nalin, do you have any suggestion? Are there any differences between RHEL6b2 and F13 in this behaviour?
Comment 12 Stephen Gallagher 2010-08-26 09:09:44 EDT
(In reply to comment #10)
> Ok, thanks.
> 
> Strange though: I'm testing the second beta of RHEL6 and I had the realm and
> kdc's in /etc/krb5.conf, but still sssd failed with the same errors as
> specified above.

Can you tell us the exact version of sssd in RHEL6 you're talking about? There was a version that had that issue, but I don't remember if we fixed it before or after the beta 2 cutoff.
Comment 13 Maxim Burgerhout 2010-08-26 09:26:56 EDT
It's sssd-1.2.0-12.el6.x86_64
Comment 14 Stephen Gallagher 2010-08-26 09:29:36 EDT
Ok, that's what I thought. That was a known issue that was fixed in 1.2.1 and should be included in the final release of RHEL6.

Note You need to log in before you can comment on or make changes to this bug.