DescriptionStephen Gallagher
2011-04-21 15:41:01 UTC
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
2. Run 'kpasswd' as a user
3. Enter passwords
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
Comment 1Stephen Gallagher
2011-09-30 12:53:19 UTC
Verified in version:
# rpm -qi sssd | head
Name : sssd Relocations: (not relocatable)
Version : 1.5.1 Vendor: Red Hat, Inc.
Release : 47.el5 Build Date: Tue 13 Dec 2011 07:19:10 PM IST
Install Date: Wed 14 Dec 2011 12:37:28 PM IST Build Host: x86-007.build.bos.redhat.com
Group : Applications/System Source RPM: sssd-1.5.1-47.el5.src.rpm
Size : 3679892 License: GPLv3+
Signature : (none)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://fedorahosted.org/sssd/
Summary : System Security Services Daemon
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2012-0164.html