+++ This bug was initially created as a clone of Bug #697057 +++ Description of problem: kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs. Version-Release number of selected component (if applicable): sssd-1.5.4-1.fc14 krb5-workstation-1.8.2-9.fc14 How reproducible: Almost every time, predictable. Steps to Reproduce: 1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC 2. Run 'kpasswd' as a user 3. Enter passwords Actual results: "kpasswd: Cannot contact any KDC for requested realm changing password" Expected results: kpasswd sends a change password request to the kadmin server. Additional info: kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works. If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail. The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty. /etc/sssd/sssd.conf contains: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True debug_level = 0 id_provider = ldap ldap_uri = ldaps://ldap-auth.mydomain ldap_id_use_start_tls = False ldap_search_base = dc=decisionsoft,dc=com chpass_provider = krb5 auth_provider = krb5 krb5_realm = MYREALM krb5_kpasswd = kerberos-master.mydomain krb5_server = kerberos.mydomain
Upstream ticket: https://fedorahosted.org/sssd/ticket/1023
Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.5.1 Vendor: Red Hat, Inc. Release : 47.el5 Build Date: Tue 13 Dec 2011 07:19:10 PM IST Install Date: Wed 14 Dec 2011 12:37:28 PM IST Build Host: x86-007.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.5.1-47.el5.src.rpm Size : 3679892 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0164.html