Hide Forgot
+++ This bug was initially created as a clone of Bug #697057 +++ Description of problem: kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs. Version-Release number of selected component (if applicable): sssd-1.5.4-1.fc14 krb5-workstation-1.8.2-9.fc14 How reproducible: Almost every time, predictable. Steps to Reproduce: 1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC 2. Run 'kpasswd' as a user 3. Enter passwords Actual results: "kpasswd: Cannot contact any KDC for requested realm changing password" Expected results: kpasswd sends a change password request to the kadmin server. Additional info: kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works. If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail. The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty. /etc/sssd/sssd.conf contains: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True debug_level = 0 id_provider = ldap ldap_uri = ldaps://ldap-auth.mydomain ldap_id_use_start_tls = False ldap_search_base = dc=decisionsoft,dc=com chpass_provider = krb5 auth_provider = krb5 krb5_realm = MYREALM krb5_kpasswd = kerberos-master.mydomain krb5_server = kerberos.mydomain
Verified in build: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 49.el6 Build Date: Mon 29 Aug 2011 08:26:38 PM IST Install Date: Wed 31 Aug 2011 07:01:44 AM IST Build Host: x86-010.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-49.el6.src.rpm Size : 3549339 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
Upstream ticket: https://fedorahosted.org/sssd/ticket/1023
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: SSSD only informed the Kerberos library about the IP address of the password-change server when the password change request came through the pam_sss module. Consequence: Tools that talk directly to the password-change servers such as kpasswd were unable to operate. Fix: SSSD always passes the IP addresses of password change servers to the Kerberos library Result: Tools such as kpasswd work correctly with SSSD now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html