Hi, attached patch expands error checks when obtaining Kerberos ticket in ipasam module. The change should cover observed corner cases which caused ipasam to fail obtaining the ticket.
Without the patch one will get something similar to what I get below when manually moving time back on the server (with additional debug statements to show error codes): Nov 20 14:01:29 signfinity winbindd[15759]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Nov 20 14:01:29 signfinity winbindd[15759]: [2012/11/20 14:01:29.616951, 0] ipa_sam.c:3829(bind_callback) Nov 20 14:01:29 signfinity winbindd[15759]: bind_callback: ldap_sasl_interactive_bind_s() call returned -2, kerberos code is 0 Nov 20 14:01:29 signfinity winbindd[15759]: [2012/11/20 14:01:29.618787, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Nov 20 14:01:29 signfinity winbindd[15759]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-IPA-TEAM.socket with dn="[Anonymous bind]" Error: Local error Nov 20 14:01:29 signfinity winbindd[15759]: #011SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid After patching it now looks like this: Nov 20 15:00:04 signfinity winbindd[18693]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Nov 20 15:00:04 signfinity winbindd[18693]: [2012/11/20 15:00:04.403051, 0] ipa_sam.c:3829(bind_callback) Nov 20 15:00:04 signfinity winbindd[18693]: bind_callback: ldap_sasl_interactive_bind_s() call returned -2, kerberos code is 0 Nov 20 15:00:20 signfinity winbindd[18693]: [2012/11/20 15:00:20.090270, 0] ipa_sam.c:3829(bind_callback) Nov 20 15:00:20 signfinity winbindd[18693]: bind_callback: ldap_sasl_interactive_bind_s() call returned 0, kerberos code is 0 as you can see, winbindd has recovered automatically. -- / Alexander Bokovoy
>From a6159484e0c3f1533df2b222e66b7418ee55f309 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 20 Nov 2012 15:18:50 +0200 Subject: [PATCH] ipasam: better Kerberos error handling in ipasam If time is moved back on the IPA server, ipasam does not invalidate the existing ticket. https://fedorahosted.org/freeipa/ticket/3183 --- daemons/ipa-sam/ipa_sam.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c index b1592b71f40d26775b5add9ce9846082d0112af7..3c4c97cd19a9937756013eab69b047d0df80ecad 100644 --- a/daemons/ipa-sam/ipa_sam.c +++ b/daemons/ipa-sam/ipa_sam.c @@ -3809,9 +3809,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo ldap_sasl_interact, &data); /* By now we have 'ret' for LDAP result and 'rc' for Kerberos result - * if ret is LDAP_INVALID_CREDENTIALS, LDAP server rejected our ccache. There may be several issues: + * if LDAP_API_ERROR(ret) is true, LDAP server rejected our ccache. There may be several issues: * - * 1. Credentials are invalid due to outdated ccache leftover from previous install + * 1. Credentials are invalid due to outdated ccache leftover from previous install or ticket is from future * Wipe out old ccache and start again * * 2. Key in the keytab is not enough to obtain ticket for cifs/FQDN@REALM service @@ -3825,7 +3825,9 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo * a new ccache file by the above call of bind_callback_obtain_creds(). This is expected and correct behavior. * */ - if ((ret == LDAP_INVALID_CREDENTIALS) && (rc == 0)) { + + if (LDAP_API_ERROR(ret) && + ((rc == 0) || (rc == KRB5KRB_AP_ERR_TKT_NYV) || (rc == KRB5KRB_AP_ERR_TKT_EXPIRED))) { bind_callback_cleanup_creds(&data); rc = bind_callback_obtain_creds(&data); if (rc) { -- 1.8.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
