On 01/15/2016 06:29 PM, Martin Babinsky wrote:
On 01/15/2016 04:57 PM, Simo Sorce wrote:
On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
On 01/14/2016 10:31 PM, Simo Sorce wrote:
On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
On 01/13/2016 10:31 AM, Martin Babinsky wrote:
On 01/07/2016 05:38 PM, Martin Babinsky wrote:
On 01/07/2016 05:37 PM, Martin Babinsky wrote:
https://fedorahosted.org/freeipa/ticket/5584
And the patch is here.
self-NACK, there may be a better way to handle this. I will do some
investigation and send updated patch.
Attaching updated patch.
A failure to obtain a tgt may be due to other reasons (for example the
KDC crashed), why are you trying to use this test ?
Isn't it sufficient to see there is no host entry in the directory ?
Simo.
There were some corner cases I encountered, mostly concerning a cleanup
after unsuccessful replica promotion.
You may sometimes end up in a state where local DS is working, but KDC
crashed and the krb5.conf is still pointing at a remote one. In that
case "malformed" replica's local host entry exist, but when such host
tries to get TGT, the AS-REQ goes to remote KDC from other master.
However, if the admin had in the mean time cleaned up this host's
kerberos principals/keys, the crashed replica gets one of the following
errors:
Client not found in Kerberos database
Client credentials have been revoked
Generic preauthentication failure
These were printed out as errors during uninstall, but were actually
expected in situation like this. It is true that the code should check
and ignore these specific errors.
Only the first id valid for your case, the others may be transient
errors.
Simo.
True, attaching updated patch. The other errors will now pop out in the
output and the warning will be displayed.
Bump for review.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
