Bug 880546 - krb5_kpasswd failover doesn't work
krb5_kpasswd failover doesn't work
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Hrozek
Kaushik Banerjee
: Regression
Depends On:
Blocks: 888457
  Show dependency treegraph
 
Reported: 2012-11-27 04:56 EST by Kaushik Banerjee
Modified: 2013-02-21 04:41 EST (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.9.2-41.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:41:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kaushik Banerjee 2012-11-27 04:56:44 EST
Description of problem:
krb5_kpasswd failover doesn't work

Version-Release number of selected component (if applicable):
sssd-1.9.2-25.el6

How reproducible:
Always

Steps to Reproduce:
1. domain section of sssd.conf includes:
auth_provider = krb5
krb5_server = kdc.example.com:12345,kdc.example.com:88
krb5_kpasswd = kdc.example.com:12345,kdc.example.com:464

2. Try to login and change the user's password
# ssh -l puser1 localhost
puser1@localhost's password:
Last login: Tue Nov 27 14:46:43 2012 from localhost
-sh-4.1$ passwd
Changing password for user puser1.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
-sh-4.1$

  
Actual results:
Password change fails as sssd is unable to failover.

/var/log/secure shows:
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): system info: [Cannot contact any KDC for requested realm]
Nov 27 14:51:56 dhcp201-200 passwd: pam_sss(passwd:chauthtok): Password change failed for user puser1: 22 (Authentication token lock busy)

/var/log/sssd/sssd_domain.log shows:
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [parse_krb5_child_response] (0x1000): child response [22][1][43].
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_fo_set_port_status] (0x0040): The server (nil) is not valid anymore, cannot set its status
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000): Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [get_server_status] (0x1000): Status of server 'kdc.example.com' is 'name resolved'
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_process] (0x0040): The fail over cycled through all available servers
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_resolve_server_done] (0x1000): Server resolution failed: 2
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [check_wait_queue] (0x1000): Wait queue for user [puser1] is empty.
(Tue Nov 27 14:51:56 2012) [sssd[be[LDAP-KRB5]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 22, <NULL>) [Success]

Expected results:
krb5_kpasswd failover should work.

Additional info:
Comment 2 Jakub Hrozek 2012-11-29 12:19:50 EST
Michal could reproduce.
Comment 3 Jakub Hrozek 2012-11-29 12:23:27 EST
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1680
Comment 6 Kaushik Banerjee 2012-12-31 03:06:26 EST
Verified in version 1.9.2-59

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-krb5_kpasswd_001 Server1 down, Server2 online
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Stopping KDC and KADMIND on SERVER1 and sleeping for 1 second
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Starting KDC and KADMIND on SERVER1 and sleeping for 5 seconds
:: [   LOG    ] :: Duration: 12s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-krb5_kpasswd_001 Server1 down, Server2 online

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: failover-krb5_kpasswd_002 Failover with single server different ports
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success puser1 NewPass_123'
:: [   LOG    ] :: Duration: 11s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: failover-krb5_kpasswd_002 Failover with single server different ports
Comment 7 errata-xmlrpc 2013-02-21 04:41:21 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html

Note You need to log in before you can comment on or make changes to this bug.