On (12/09/17 18:44), Sumit Bose wrote:
>On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
>> ehlo,
>>
>> I realized that it might be better to discuss it here rather then in
>> pull requests because it seems to be related to two different commits.
>>
>> I will describe a test case on master with already created replica on another
>> host.
>> * kinit as admin
>> // create user with dummy password
>> * echo $dummypw | ipa user-add $login --first "$firstname" --last
>> "$lastname" \
>> --password
>>
>> // adding sleep think that first kinit hits slave sometimes and the user
>> is
>> // not replicated yet.
>> * sleep 2
>> * FirstKinitAs $login $dummypw $password
>>
>> FirstKinitAs is a bash function which change initial password
>> something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
>> $username
>>
>> Such test works reliably with 1.15.3 and kinit always talk to local master
>> (I didn't try to remove sleep 2)
>>
>>
>> But situation changed a little bit with git master due to following commits
>> IPA: Only generate kdcinfo files on clients
>> https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
>
>Do you have the /etc/krb5.conf available from the host where the test
>failed. The above patch was written with the assumption that
>/etc/krb5.conf on the IPA server points to the server itself as
>ipa-server-install creates it:
>
>[realms]
> IPA.DEVEL = {
> kdc = ipa-devel.ipa.devel:88
> master_kdc = ipa-devel.ipa.devel:88
> admin_server = ipa-devel.ipa.devel:749
> default_domain = ipa.devel
> pkinit_anchors = FILE:/etc/ipa/ca.crt
>}
>
>Currently I would assume that at least admin_server is missing.
>
>> localauth plugin: change return code of sss_an2ln
>> https://pagure.io/SSSD/sssd/c/3f94a979eebd1c9496b49b4e07b7823550dec97e
>
>I'm a bit surprised here because it is not clear to me where during the
>test an2ln is used. But if it is the case it might point to an issue at
>a different place because the old return code was wrong according to the
>documentation of the plugin.
>
I probably mixed versions of packages when I ran test. Because reverting
patch for krb5_localauth plugin did not help and it still fails
--------------------------
Added user "selfservuser1"
--------------------------
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservus...@testrelm.test
Principal alias: selfservus...@testrelm.test
Email address: selfservus...@testrelm.test
UID: 716000021
GID: 716000021
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1'
[1836] 1505231102.633534: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservus...@testrelm.test
[1838] 1505231102.639333: Getting initial credentials for
selfservus...@testrelm.test
[1838] 1505231102.641609: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.641757: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.642102: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.642170: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.644813: Received answer (186 bytes) from stream 10.19.41.68:88
[1838] 1505231102.644822: Terminating TCP connection to stream 10.19.41.68:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644878: Response was from master KDC
[1838] 1505231102.644897: Received error from KDC: -1765328361/Password has
expired
[1838] 1505231102.644915: Principal expired; getting changepw ticket
[1838] 1505231102.644921: Getting initial credentials for
selfservus...@testrelm.test
[1838] 1505231102.644936: Setting initial creds service to kadmin/changepw
[1838] 1505231102.644954: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.644973: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.645055: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.645102: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.647338: Received answer (308 bytes) from stream 10.19.41.68:88
[1838] 1505231102.647346: Terminating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.647382: Received error from KDC: -1765328359/Additional
pre-authentication required
[1838] 1505231102.647404: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[1838] 1505231102.647415: Selected etype info: etype aes256-cts, salt
",U-"2{X22zFHoWcb", params ""
[1838] 1505231102.647418: Received cookie: MIT
[1838] 1505231102.647434: PKINIT client has no configured identity; giving up
[1838] 1505231102.647447: Preauth module pkinit (147) (info) returned: 0/Success
[1838] 1505231102.647454: PKINIT client has no configured identity; giving up
[1838] 1505231102.647459: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[1838] 1505231102.647464: PKINIT client has no configured identity; giving up
[1838] 1505231102.647468: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[1838] 1505231102.647474: PKINIT client has no configured identity; giving up
[1838] 1505231102.647478: Preauth module pkinit (14) (real) returned:
22/Invalid argument
Password for selfservus...@testrelm.test:
[1838] 1505231102.656744: AS key obtained for encrypted timestamp:
aes256-cts/A66D
[1838] 1505231102.656785: Encrypted timestamp (for 1505231102.656605): plain
301AA011180F32303137303931323135343530325AA10502030A04DD, encrypted
85E9E81C445DF84C3C059D350C388044D722FEB89EC67C3C7016E6CD6E588BE004A9556F156769B74E32CE3EC2175D58AAFB01D51249D4D8
[1838] 1505231102.656795: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[1838] 1505231102.656798: Produced preauth for next request: 133, 2
[1838] 1505231102.656808: Sending request (273 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.656831: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.656914: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.656950: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.659730: Received answer (744 bytes) from stream 10.19.41.68:88
[1838] 1505231102.659738: Terminating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.659771: Processing preauth types: 19
[1838] 1505231102.659777: Selected etype info: etype aes256-cts, salt
",U-"2{X22zFHoWcb", params ""
[1838] 1505231102.659781: Produced preauth for next request: (empty)
[1838] 1505231102.659787: AS key determined by preauth: aes256-cts/A66D
[1838] 1505231102.659825: Decrypted AS reply; session key is: aes256-cts/925B
[1838] 1505231102.659838: FAST negotiation: available
[1838] 1505231102.659864: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[1838] 1505231102.659911: Creating authenticator for
selfservus...@testrelm.test -> kadmin/chang...@testrelm.test, seqnum 0, subkey
aes256-cts/E008, session key aes256-cts/925B
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.660554: Resolving hostname kvm-02-guest03.testrelm.test.
[1838] 1505231102.660988: Sending initial UDP request to dgram
2620:52:0:1040:5054:ff:fe71:6fb1:464
[1838] 1505231102.689233: Received answer (248 bytes) from dgram
2620:52:0:1040:5054:ff:fe71:6fb1:464
[1838] 1505231102.689284: Read AP-REP, time 1505231102.659915, subkey
aes256-cts/E008, seqnum 342299389
[1838] 1505231102.689308: Getting initial TGT with changed password
[1838] 1505231102.689312: Getting initial credentials for
selfservus...@testrelm.test
[1838] 1505231102.689357: Sending request (183 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1838] 1505231102.689388: Resolving hostname bkr-hv03-guest38.testrelm.test
[1838] 1505231102.689477: Initiating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.689517: Sending TCP request to stream 10.19.41.68:88
[1838] 1505231102.691967: Received answer (186 bytes) from stream 10.19.41.68:88
[1838] 1505231102.691976: Terminating TCP connection to stream 10.19.41.68:88
[1838] 1505231102.692010: Received error from KDC: -1765328361/Password has
expired
kinit: Password has expired while getting initial credentials
klist: Credentials cache keyring 'persistent:0:0' not found
:: [ 11:45:02 ] :: ERROR: kinit as selfservuser1 with new password passw0rd1
failed.
:: [ FAIL ] :: Command 'FirstKinitAs selfservuser1 dummy...@ipa.com
passw0rd1' (Expected 0, got 1)
[1852] 1505231102.895334: Destroying ccache KEYRING:persistent:0:0
selfservuser1
[1854] 1505231102.900444: Getting initial credentials for ad...@testrelm.test
[1854] 1505231102.902589: Sending request (175 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1854] 1505231102.902739: Resolving hostname bkr-hv03-guest38.testrelm.test
[1854] 1505231102.903091: Initiating TCP connection to stream 10.19.41.68:88
[1854] 1505231102.903159: Sending TCP request to stream 10.19.41.68:88
[1854] 1505231102.909061: Received answer (305 bytes) from stream 10.19.41.68:88
[1854] 1505231102.909075: Terminating TCP connection to stream 10.19.41.68:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1854] 1505231102.909144: Response was from master KDC
[1854] 1505231102.909161: Received error from KDC: -1765328359/Additional
pre-authentication required
[1854] 1505231102.909194: Processing preauth types: 16, 15, 14, 136, 19, 147,
2, 133
[1854] 1505231102.909203: Selected etype info: etype aes256-cts, salt "SkP
Io5?\bg.^vG", params ""
[1854] 1505231102.909206: Received cookie: MIT
[1854] 1505231102.909221: PKINIT client has no configured identity; giving up
[1854] 1505231102.909235: Preauth module pkinit (147) (info) returned: 0/Success
[1854] 1505231102.909242: PKINIT client has no configured identity; giving up
[1854] 1505231102.909247: Preauth module pkinit (16) (real) returned:
22/Invalid argument
[1854] 1505231102.909253: PKINIT client has no configured identity; giving up
[1854] 1505231102.909258: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[1854] 1505231102.909280: PKINIT client has no configured identity; giving up
[1854] 1505231102.909286: Preauth module pkinit (14) (real) returned:
22/Invalid argument
[1854] 1505231102.918366: AS key obtained for encrypted timestamp:
aes256-cts/BC4B
[1854] 1505231102.918408: Encrypted timestamp (for 1505231102.917977): plain
301AA011180F32303137303931323135343530325AA10502030E01D9, encrypted
0B89C878A11B01A30D769374C002AFDB0C9F8E992F5D5A78E65FCCD201FC38DC731D4845AE1CBD524DD56416C4CCA991E2EA44575931B7B4
[1854] 1505231102.918419: Preauth module encrypted_timestamp (2) (real)
returned: 0/Success
[1854] 1505231102.918422: Produced preauth for next request: 133, 2
[1854] 1505231102.918433: Sending request (270 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1854] 1505231102.918455: Resolving hostname bkr-hv03-guest38.testrelm.test
[1854] 1505231102.918570: Initiating TCP connection to stream 10.19.41.68:88
[1854] 1505231102.919095: Sending TCP request to stream 10.19.41.68:88
[1854] 1505231102.923547: Received answer (738 bytes) from stream 10.19.41.68:88
[1854] 1505231102.923560: Terminating TCP connection to stream 10.19.41.68:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed
[/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[1854] 1505231102.923612: Response was from master KDC
[1854] 1505231102.923640: Processing preauth types: 19
[1854] 1505231102.923661: Selected etype info: etype aes256-cts, salt "SkP
Io5?\bg.^vG", params ""
[1854] 1505231102.923668: Produced preauth for next request: (empty)
[1854] 1505231102.923674: AS key determined by preauth: aes256-cts/BC4B
[1854] 1505231102.923714: Decrypted AS reply; session key is: aes256-cts/B5A5
[1854] 1505231102.923727: FAST negotiation: available
[1854] 1505231102.923744: Initializing KEYRING:persistent:0:0 with default
princ ad...@testrelm.test
[1854] 1505231102.923779: Storing ad...@testrelm.test ->
krbtgt/testrelm.t...@testrelm.test in KEYRING:persistent:0:0
[1854] 1505231102.923814: Storing config in KEYRING:persistent:0:0 for
krbtgt/testrelm.t...@testrelm.test: fast_avail: yes
[1854] 1505231102.923826: Storing ad...@testrelm.test ->
krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF:
in KEYRING:persistent:0:0
[1854] 1505231102.923850: Storing config in KEYRING:persistent:0:0 for
krbtgt/testrelm.t...@testrelm.test: pa_type: 2
[1854] 1505231102.923858: Storing ad...@testrelm.test ->
krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF:
in KEYRING:persistent:0:0
:: [ FAIL ] :: Command 'create_ipauser selfservuser1 first last passw0rd1'
(Expected 0, got 1)
LS
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
