On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
> On 01/14/2016 10:31 PM, Simo Sorce wrote:
> > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
> >> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
> >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
> >>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
> >>>>> https://fedorahosted.org/freeipa/ticket/5584
> >>>> And the patch is here.
> >>> self-NACK, there may be a better way to handle this. I will do some
> >>> investigation and send updated patch.
> >> Attaching updated patch.
> > A failure to obtain a tgt may be due to other reasons (for example the
> > KDC crashed), why are you trying to use this test ?
> > Isn't it sufficient to see there is no host entry in the directory ?
> > Simo.
> There were some corner cases I encountered, mostly concerning a cleanup
> after unsuccessful replica promotion.
> You may sometimes end up in a state where local DS is working, but KDC
> crashed and the krb5.conf is still pointing at a remote one. In that
> case "malformed" replica's local host entry exist, but when such host
> tries to get TGT, the AS-REQ goes to remote KDC from other master.
> However, if the admin had in the mean time cleaned up this host's
> kerberos principals/keys, the crashed replica gets one of the following
> Client not found in Kerberos database
> Client credentials have been revoked
> Generic preauthentication failure
> These were printed out as errors during uninstall, but were actually
> expected in situation like this. It is true that the code should check
> and ignore these specific errors.
Only the first id valid for your case, the others may be transient
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code