Bug 698723 - kpasswd fails when using sssd and kadmin server != kdc server
kpasswd fails when using sssd and kadmin server != kdc server
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On: 697057 698724
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-21 11:40 EDT by Stephen Gallagher
Modified: 2015-01-04 18:48 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.5.1-36.el6
Doc Type: Bug Fix
Doc Text:
Cause: SSSD only informed the Kerberos library about the IP address of the password-change server when the password change request came through the pam_sss module. Consequence: Tools that talk directly to the password-change servers such as kpasswd were unable to operate. Fix: SSSD always passes the IP addresses of password change servers to the Kerberos library Result: Tools such as kpasswd work correctly with SSSD now.
Story Points: ---
Clone Of: 697057
Environment:
Last Closed: 2011-12-06 11:38:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2011-04-21 11:40:21 EDT
+++ This bug was initially created as a clone of Bug #697057 +++

Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.

Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14

How reproducible:
Almost every time, predictable.

Steps to Reproduce:
1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
2. Run 'kpasswd' as a user
3. Enter passwords
  
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"

Expected results:
kpasswd sends a change password request to the kadmin server.

Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.

If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.

The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.

/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
Comment 3 Kaushik Banerjee 2011-09-07 12:20:59 EDT
Verified in build:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 49.el6                        Build Date: Mon 29 Aug 2011 08:26:38 PM IST
Install Date: Wed 31 Aug 2011 07:01:44 AM IST      Build Host: x86-010.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-49.el6.src.rpm
Size        : 3549339                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 Jakub Hrozek 2011-10-26 04:08:11 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1023
Comment 5 Jakub Hrozek 2011-10-26 12:16:02 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: SSSD only informed the Kerberos library about the IP address of the password-change server when the password change request came through the pam_sss module.
Consequence: Tools that talk directly to the password-change servers such as kpasswd were unable to operate.
Fix: SSSD always passes the IP addresses of password change servers to the Kerberos library
Result: Tools such as kpasswd work correctly with SSSD now.
Comment 6 errata-xmlrpc 2011-12-06 11:38:08 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.