On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
> On 01/14/2016 10:31 PM, Simo Sorce wrote:
> > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
> >> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
> >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
> >>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
> >>>>> https://fedorahosted.org/freeipa/ticket/5584
> >>>>>
> >>>> And the patch is here.
> >>>>
> >>>>
> >>>>
> >>> self-NACK, there may be a better way to handle this. I will do some
> >>> investigation and send updated patch.
> >>>
> >> Attaching updated patch.
> >
> > A failure to obtain a tgt may be due to other reasons (for example the
> > KDC crashed), why are you trying to use this test ?
> > Isn't it sufficient to see there is no host entry in the directory ?
> >
> > Simo.
> >
> There were some corner cases I encountered, mostly concerning a cleanup 
> after unsuccessful replica promotion.
> 
> You may sometimes end up in a state where local DS is working, but KDC 
> crashed and the krb5.conf is still pointing at a remote one. In that 
> case "malformed" replica's local host entry exist, but when such host 
> tries to get TGT, the AS-REQ goes to remote KDC from other master.
> 
> However, if the admin had in the mean time cleaned up this host's 
> kerberos principals/keys, the crashed replica gets one of the following 
> errors:
> 
> Client not found in Kerberos database
> Client credentials have been revoked
> Generic preauthentication failure
> 
> These were printed out as errors during uninstall, but were actually 
> expected in situation like this. It is true that the code should check 
> and ignore these specific errors.

Only the first id valid for your case, the others may be transient
errors.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to