On 01/14/2016 10:31 PM, Simo Sorce wrote:
On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
On 01/13/2016 10:31 AM, Martin Babinsky wrote:
On 01/07/2016 05:38 PM, Martin Babinsky wrote:
On 01/07/2016 05:37 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5584

And the patch is here.



self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.

Attaching updated patch.

A failure to obtain a tgt may be due to other reasons (for example the
KDC crashed), why are you trying to use this test ?
Isn't it sufficient to see there is no host entry in the directory ?

Simo.

There were some corner cases I encountered, mostly concerning a cleanup after unsuccessful replica promotion.

You may sometimes end up in a state where local DS is working, but KDC crashed and the krb5.conf is still pointing at a remote one. In that case "malformed" replica's local host entry exist, but when such host tries to get TGT, the AS-REQ goes to remote KDC from other master.

However, if the admin had in the mean time cleaned up this host's kerberos principals/keys, the crashed replica gets one of the following errors:

Client not found in Kerberos database
Client credentials have been revoked
Generic preauthentication failure

These were printed out as errors during uninstall, but were actually expected in situation like this. It is true that the code should check and ignore these specific errors.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to