Bug 698724 - kpasswd fails when using sssd and kadmin server != kdc server
kpasswd fails when using sssd and kadmin server != kdc server
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sssd (Show other bugs)
5.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On: 697057
Blocks: 698723
  Show dependency treegraph
 
Reported: 2011-04-21 11:41 EDT by Stephen Gallagher
Modified: 2015-01-04 18:48 EST (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.5.1-38.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 697057
Environment:
Last Closed: 2012-02-21 01:22:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2011-04-21 11:41:01 EDT
+++ This bug was initially created as a clone of Bug #697057 +++

Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.

Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14

How reproducible:
Almost every time, predictable.

Steps to Reproduce:
1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
2. Run 'kpasswd' as a user
3. Enter passwords
  
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"

Expected results:
kpasswd sends a change password request to the kadmin server.

Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.

If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.

The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.

/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
Comment 1 Stephen Gallagher 2011-09-30 08:53:19 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1023
Comment 3 Kaushik Banerjee 2011-12-21 05:49:40 EST
Verified in version:

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 47.el5                        Build Date: Tue 13 Dec 2011 07:19:10 PM IST
Install Date: Wed 14 Dec 2011 12:37:28 PM IST      Build Host: x86-007.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-47.el5.src.rpm
Size        : 3679892                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2012-02-21 01:22:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0164.html

Note You need to log in before you can comment on or make changes to this bug.