On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: > On 01/14/2016 10:31 PM, Simo Sorce wrote: > > On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > >> On 01/13/2016 10:31 AM, Martin Babinsky wrote: > >>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>>>> https://fedorahosted.org/freeipa/ticket/5584 > >>>>> > >>>> And the patch is here. > >>>> > >>>> > >>>> > >>> self-NACK, there may be a better way to handle this. I will do some > >>> investigation and send updated patch. > >>> > >> Attaching updated patch. > > > > A failure to obtain a tgt may be due to other reasons (for example the > > KDC crashed), why are you trying to use this test ? > > Isn't it sufficient to see there is no host entry in the directory ? > > > > Simo. > > > There were some corner cases I encountered, mostly concerning a cleanup > after unsuccessful replica promotion. > > You may sometimes end up in a state where local DS is working, but KDC > crashed and the krb5.conf is still pointing at a remote one. In that > case "malformed" replica's local host entry exist, but when such host > tries to get TGT, the AS-REQ goes to remote KDC from other master. > > However, if the admin had in the mean time cleaned up this host's > kerberos principals/keys, the crashed replica gets one of the following > errors: > > Client not found in Kerberos database > Client credentials have been revoked > Generic preauthentication failure > > These were printed out as errors during uninstall, but were actually > expected in situation like this. It is true that the code should check > and ignore these specific errors.
Only the first id valid for your case, the others may be transient errors. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
