[Bug 2146334] [NEW] bad crash logging for missing krb5_kpasswd option

Wed, 25 Mar 2026 08:50:39 -0700 

Public bug reported:

discovered in bug #2142140

if we specify in sssd.conf
[sssd]
services = nss, pam
domains = LDAP

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
auth_provider = krb5
krb5_server = ldap.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = True
ldap_search_base = dc=example,dc=com


this generates a huge backtrace in the logs:

==> /var/log/sssd/sssd_LDAP.log <==
(2026-02-24 13:19:26): [be[LDAP]] [server_setup] (0x3f7c0): Starting with debug 
level = 0x0070
(2026-02-24 13:19:26): [be[LDAP]] [krb5_init_kpasswd] (0x0010): Missing 
krb5_kpasswd option and KDC set explicitly, will use KDC for password change 
operations!
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   * [be[LDAP]] [ldb] (0x0400): server_sort:Unable to register control with 
rootdse!
   * (2026-02-24 13:19:26): [be[LDAP]] [server_setup] (0x0400): CONFDB: 
/var/lib/sss/db/config.ldb
(...)


The krb5_kpasswd option error seems overly verbose, since the condition is this:
    const char *primary_servers = option(krb5_kpasswd);

    if (primary_servers == NULL && kdc_servers != NULL) {
        DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_kpasswd option and KDC set "
              "explicitly, will use KDC for password change operations!\n");
        ctx->kpasswd_service = NULL;
    }


and according to man 5 sssd-krb5:

       krb5_kpasswd, krb5_backup_kpasswd (string)
           If the change password service is not running on the KDC, 
alternative servers can be defined here. An optional port number (preceded by a 
colon) may be appended to the addresses or hostnames.

           Default: Use the KDC

so this should not be an error, but is too verbose.

reported and fixed upstream:
https://github.com/SSSD/sssd/issues/8531
https://github.com/SSSD/sssd/commit/8631c02e0c73fb89b11b110ac53f30c905962c54

** Affects: sssd (Ubuntu)
     Importance: Undecided
     Assignee: Jonas Jelten (jj)
         Status: New

** Changed in: sssd (Ubuntu)
     Assignee: (unassigned) => Jonas Jelten (jj)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146334

Title:
  bad crash logging for missing krb5_kpasswd option

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2146334/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to