698723 – kpasswd fails when using sssd and kadmin server != kdc server

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 698723 - kpasswd fails when using sssd and kadmin server != kdc server

Summary: kpasswd fails when using sssd and kadmin server != kdc server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	697057 698724
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-21 15:40 UTC by Stephen Gallagher
Modified:	2020-05-04 10:20 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.5.1-36.el6
Doc Type:	Bug Fix
Doc Text:	Cause: SSSD only informed the Kerberos library about the IP address of the password-change server when the password change request came through the pam_sss module. Consequence: Tools that talk directly to the password-change servers such as kpasswd were unable to operate. Fix: SSSD always passes the IP addresses of password change servers to the Kerberos library Result: Tools such as kpasswd work correctly with SSSD now.
Clone Of:	697057
Environment:
Last Closed:	2011-12-06 16:38:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2065	0	None	closed	kpasswd fails when using sssd and kadmin server != kdc server	2020-05-18 19:07:37 UTC
Red Hat Product Errata	RHBA-2011:1529	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2011-12-06 00:50:20 UTC

Description Stephen Gallagher 2011-04-21 15:40:21 UTC

+++ This bug was initially created as a clone of Bug #697057 +++

Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.

Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14

How reproducible:
Almost every time, predictable.

Steps to Reproduce:
1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
2. Run 'kpasswd' as a user
3. Enter passwords
  
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"

Expected results:
kpasswd sends a change password request to the kadmin server.

Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.

If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.

The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.

/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain

Comment 3 Kaushik Banerjee 2011-09-07 16:20:59 UTC

Verified in build:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 49.el6                        Build Date: Mon 29 Aug 2011 08:26:38 PM IST
Install Date: Wed 31 Aug 2011 07:01:44 AM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-49.el6.src.rpm
Size        : 3549339                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 4 Jakub Hrozek 2011-10-26 08:08:11 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1023

Comment 5 Jakub Hrozek 2011-10-26 16:16:02 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SSSD only informed the Kerberos library about the IP address of the password-change server when the password change request came through the pam_sss module.
Consequence: Tools that talk directly to the password-change servers such as kpasswd were unable to operate.
Fix: SSSD always passes the IP addresses of password change servers to the Kerberos library
Result: Tools such as kpasswd work correctly with SSSD now.

Comment 6 errata-xmlrpc 2011-12-06 16:38:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.