You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
1. System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
2. Run 'kpasswd' as a user
3. Enter passwords
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
{{{
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
Run 'kpasswd' as a user
Enter passwords
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
{{{
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
System with sssd using krb5 as auth backend. kpasswd service on a different server to the KDC
Run 'kpasswd' as a user
Enter passwords
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/1023
https://bugzilla.redhat.com/show_bug.cgi?id=698724
Comments
Comment from sgallagh at 2011-09-30 14:54:00
Fixed by 5e88215
coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=698724
{{{
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=698724
{{{
+++ This bug was initially created as a clone of Bug #697057 +++
Description of problem:
kpasswd fails with the error: "kpasswd: Cannot contact any KDC for requested realm changing password" if sssd is used with krb backend and the kadmin service is not running on the KDCs.
Version-Release number of selected component (if applicable):
sssd-1.5.4-1.fc14
krb5-workstation-1.8.2-9.fc14
How reproducible:
Almost every time, predictable.
Steps to Reproduce:
Actual results:
"kpasswd: Cannot contact any KDC for requested realm changing password"
Expected results:
kpasswd sends a change password request to the kadmin server.
Additional info:
kpasswd is looking for /var/lib/sss/pubconf/kdcinfo.$REALM, if not found it falls back to the traditional method of using /etc/krb5.conf and then DNS lookup. Which works.
If kdcinfo.$REALM exists, kpasswd then looks for /var/lib/sss/pubconf/kpasswdinfo.$REALM, which never gets created. kpasswd uses the addresses from kdcinfo.$REALM as the kadmin server, which isn't running the kpasswd service. Hence fail.
The file in /var/lib/sss/pubconf/ is only created after sssd-krb5 is poked in the right way, e.g. an auth attempt. After restarting sssd the directory is empty.
/etc/sssd/sssd.conf contains:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
debug_level = 0
id_provider = ldap
ldap_uri = ldaps://ldap-auth.mydomain
ldap_id_use_start_tls = False
ldap_search_base = dc=decisionsoft,dc=com
chpass_provider = krb5
auth_provider = krb5
krb5_realm = MYREALM
krb5_kpasswd = kerberos-master.mydomain
krb5_server = kerberos.mydomain
}}}
patch: => 1
resolution: => fixed
rhbz: =>
status: new => closed
tests: => 0
testsupdated: => 0
upgrade: => 0
Comment from mkosek at 2011-12-16 16:03:01
Fields changed
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=698724 698724]
Comment from sgallagh at 2017-02-24 15:03:23
Metadata Update from @sgallagh:
The text was updated successfully, but these errors were encountered: