On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote: > On 01/15/2016 06:29 PM, Martin Babinsky wrote: > > On 01/15/2016 04:57 PM, Simo Sorce wrote: > >> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote: > >>> On 01/14/2016 10:31 PM, Simo Sorce wrote: > >>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote: > >>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote: > >>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote: > >>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote: > >>>>>>>> https://fedorahosted.org/freeipa/ticket/5584 > >>>>>>>> > >>>>>>> And the patch is here. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> self-NACK, there may be a better way to handle this. I will do some > >>>>>> investigation and send updated patch. > >>>>>> > >>>>> Attaching updated patch. > >>>> > >>>> A failure to obtain a tgt may be due to other reasons (for example the > >>>> KDC crashed), why are you trying to use this test ? > >>>> Isn't it sufficient to see there is no host entry in the directory ? > >>>> > >>>> Simo. > >>>> > >>> There were some corner cases I encountered, mostly concerning a cleanup > >>> after unsuccessful replica promotion. > >>> > >>> You may sometimes end up in a state where local DS is working, but KDC > >>> crashed and the krb5.conf is still pointing at a remote one. In that > >>> case "malformed" replica's local host entry exist, but when such host > >>> tries to get TGT, the AS-REQ goes to remote KDC from other master. > >>> > >>> However, if the admin had in the mean time cleaned up this host's > >>> kerberos principals/keys, the crashed replica gets one of the following > >>> errors: > >>> > >>> Client not found in Kerberos database > >>> Client credentials have been revoked > >>> Generic preauthentication failure > >>> > >>> These were printed out as errors during uninstall, but were actually > >>> expected in situation like this. It is true that the code should check > >>> and ignore these specific errors. > >> > >> Only the first id valid for your case, the others may be transient > >> errors. > >> > >> Simo. > >> > >> > > True, attaching updated patch. The other errors will now pop out in the > > output and the warning will be displayed. > > > > > > > Bump for review. >
LGTM Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
