On Tue, Sep 12, 2017 at 03:45:52PM +0200, Lukas Slebodnik wrote:
ehlo,
I realized that it might be better to discuss it here rather then in
pull requests because it seems to be related to two different commits.
I will describe a test case on master with already created replica on another
host.
* kinit as admin
// create user with dummy password
* echo $dummypw | ipa user-add $login --first "$firstname" --last
"$lastname" \
--password
// adding sleep think that first kinit hits slave sometimes and the user is
// not replicated yet.
* sleep 2
* FirstKinitAs $login $dummypw $password
FirstKinitAs is a bash function which change initial password
something like: echo -e "$password\n$newpassword\n$newpassword" | kinit -V
$username
Such test works reliably with 1.15.3 and kinit always talk to local master
(I didn't try to remove sleep 2)
But situation changed a little bit with git master due to following commits
IPA: Only generate kdcinfo files on clients
https://pagure.io/SSSD/sssd/c/a309525cc47da726461aec1f238165c17aade2a6
Do you have the /etc/krb5.conf available from the host where the test
failed. The above patch was written with the assumption that
/etc/krb5.conf on the IPA server points to the server itself as
ipa-server-install creates it:
[realms]
IPA.DEVEL = {
kdc = ipa-devel.ipa.devel:88
master_kdc = ipa-devel.ipa.devel:88
admin_server = ipa-devel.ipa.devel:749
default_domain = ipa.devel
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
Currently I would assume that at least admin_server is missing.
I'm a bit surprised here because it is not clear to me where during the
test an2ln is used. But if it is the case it might point to an issue at
a different place because the old return code was wrong according to the
documentation of the plugin.
bye,
Sumit
It is enough to revert just one of these patches and situation is back stable
BTW failure is not 100% reliable but it happens quite often 40-60% of cases.
And I think kinit on IPA server should always talk to local KDC unless
it is down.
Attaching two logs with KRB5TRACE + SSSD_KRB5_LOCATOR_DEBUG
LS
--------------------------
Added user "selfservuser1"
--------------------------
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservuser1(a)TESTRELM.TEST
Principal alias: selfservuser1(a)TESTRELM.TEST
Email address: selfservuser1(a)testrelm.test
UID: 1739200021
GID: 1739200021
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy123(a)ipa.com
passw0rd1'
[2008] 1504979429.356684: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservuser1(a)TESTRELM.TEST
[2010] 1504979429.362816: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2010] 1504979429.364886: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[1]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[1]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.365050: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.365114: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.366775: Received answer (186 bytes) from stream 10.19.41.54:88
[2010] 1504979429.366783: Terminating TCP connection to stream 10.19.41.54:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.366833: Response was from master KDC
[2010] 1504979429.366849: Received error from KDC: -1765328361/Password has expired
[2010] 1504979429.366866: Principal expired; getting changepw ticket
[2010] 1504979429.366871: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2010] 1504979429.366885: Setting initial creds service to kadmin/changepw
[2010] 1504979429.366901: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.366951: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.366980: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.369031: Received answer (308 bytes) from stream 10.19.41.54:88
[2010] 1504979429.369038: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.369064: Received error from KDC: -1765328359/Additional
pre-authentication required
[2010] 1504979429.369083: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[2010] 1504979429.369094: Selected etype info: etype aes256-cts, salt
"g3,cY9a!,]I#?!mP", params ""
[2010] 1504979429.369096: Received cookie: MIT
[2010] 1504979429.369111: PKINIT client has no configured identity; giving up
[2010] 1504979429.369123: Preauth module pkinit (147) (info) returned: 0/Success
[2010] 1504979429.369130: PKINIT client has no configured identity; giving up
[2010] 1504979429.369134: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[2010] 1504979429.369139: PKINIT client has no configured identity; giving up
[2010] 1504979429.369143: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
[2010] 1504979429.369148: PKINIT client has no configured identity; giving up
[2010] 1504979429.369157: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
Password for selfservuser1(a)TESTRELM.TEST:
[2010] 1504979429.377997: AS key obtained for encrypted timestamp: aes256-cts/15DF
[2010] 1504979429.378038: Encrypted timestamp (for 1504979429.377885): plain
301AA011180F32303137303930393137353032395AA105020305C41D, encrypted
724A100FDF786F4B706BEF70A1017CABF3825B16F5111CE381D1C02ECFAF081A75CB0E1B0140709720FE77E1C124344DDFF788DDA1DBBD0D
[2010] 1504979429.378048: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[2010] 1504979429.378051: Produced preauth for next request: 133, 2
[2010] 1504979429.378060: Sending request (273 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.378117: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.378151: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.380629: Received answer (744 bytes) from stream 10.19.41.54:88
[2010] 1504979429.380650: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.380684: Processing preauth types: 19
[2010] 1504979429.380690: Selected etype info: etype aes256-cts, salt
"g3,cY9a!,]I#?!mP", params ""
[2010] 1504979429.380693: Produced preauth for next request: (empty)
[2010] 1504979429.380704: AS key determined by preauth: aes256-cts/15DF
[2010] 1504979429.380753: Decrypted AS reply; session key is: aes256-cts/0DC0
[2010] 1504979429.380766: FAST negotiation: available
[2010] 1504979429.380792: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[2010] 1504979429.380839: Creating authenticator for selfservuser1(a)TESTRELM.TEST ->
kadmin/changepw(a)TESTRELM.TEST, seqnum 0, subkey aes256-cts/25FC, session key
aes256-cts/0DC0
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[5]
[sssd_krb5_locator] addr[10.19.41.54:464] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[5]
[sssd_krb5_locator] addr[10.19.41.54:464] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.380951: Sending initial UDP request to dgram 10.19.41.54:464
[2010] 1504979429.412096: Received answer (236 bytes) from dgram 10.19.41.54:464
[2010] 1504979429.412179: Read AP-REP, time 1504979429.380843, subkey aes256-cts/25FC,
seqnum 534540384
[2010] 1504979429.412213: Getting initial TGT with changed password
[2010] 1504979429.412220: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2010] 1504979429.412279: Sending request (183 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.413245: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.413512: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.416335: Received answer (313 bytes) from stream 10.19.41.54:88
[2010] 1504979429.416343: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.416387: Received error from KDC: -1765328359/Additional
pre-authentication required
[2010] 1504979429.416421: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[2010] 1504979429.416426: Selected etype info: etype aes256-cts, salt
"Py@@RV$)_8syq{7@", params ""
[2010] 1504979429.416428: Received cookie: MIT
[2010] 1504979429.416445: PKINIT client has no configured identity; giving up
[2010] 1504979429.416458: Preauth module pkinit (147) (info) returned: 0/Success
[2010] 1504979429.416467: PKINIT client has no configured identity; giving up
[2010] 1504979429.416472: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[2010] 1504979429.416478: PKINIT client has no configured identity; giving up
[2010] 1504979429.416482: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
[2010] 1504979429.416487: PKINIT client has no configured identity; giving up
[2010] 1504979429.416491: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
[2010] 1504979429.424898: AS key obtained for encrypted timestamp: aes256-cts/D927
[2010] 1504979429.424928: Encrypted timestamp (for 1504979429.424460): plain
301AA011180F32303137303930393137353032395AA1050203067A0C, encrypted
A06565BC61A85C400D1C6A392DEE704D8597EA81FCC3FF9CBCAE7FA7E65F9CB145DC92C2985DCA86280176D9B6F4AF3A0CD2F95C097A842D
[2010] 1504979429.424935: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[2010] 1504979429.424938: Produced preauth for next request: 133, 2
[2010] 1504979429.424946: Sending request (278 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [10.19.41.54] in [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST].
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kpasswdinfo.TESTRELM.TEST][2][No
such file or directory].
[sssd_krb5_locator] reading kpasswd address failed, using kdc address.
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[2] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[2]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_realm[TESTRELM.TEST] requested realm[TESTRELM.TEST] family[0]
socktype[1] locate_service[2]
[sssd_krb5_locator] addr[10.19.41.54:88] family[2] socktype[1]
[sssd_krb5_locator] [10.19.41.54] used
[sssd_krb5_locator] sssd_krb5_locator_close called
[2010] 1504979429.424998: Initiating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.425026: Sending TCP request to stream 10.19.41.54:88
[2010] 1504979429.430744: Received answer (755 bytes) from stream 10.19.41.54:88
[2010] 1504979429.430752: Terminating TCP connection to stream 10.19.41.54:88
[2010] 1504979429.430796: Processing preauth types: 19
[2010] 1504979429.430803: Selected etype info: etype aes256-cts, salt
"Py@@RV$)_8syq{7@", params ""
[2010] 1504979429.430807: Produced preauth for next request: (empty)
[2010] 1504979429.430812: AS key determined by preauth: aes256-cts/D927
[2010] 1504979429.430840: Decrypted AS reply; session key is: aes256-cts/B4D9
[2010] 1504979429.430849: FAST negotiation: available
[2010] 1504979429.430871: Initializing KEYRING:persistent:0:0 with default princ
selfservuser1(a)TESTRELM.TEST
[2010] 1504979429.430918: Storing selfservuser1(a)TESTRELM.TEST ->
krbtgt/TESTRELM.TEST(a)TESTRELM.TEST in KEYRING:persistent:0:0
[2010] 1504979429.430949: Storing config in KEYRING:persistent:0:0 for
krbtgt/TESTRELM.TEST(a)TESTRELM.TEST: fast_avail: yes
[2010] 1504979429.430962: Storing selfservuser1(a)TESTRELM.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST(a)X-CACHECONF: in
KEYRING:persistent:0:0
[2010] 1504979429.430988: Storing config in KEYRING:persistent:0:0 for
krbtgt/TESTRELM.TEST(a)TESTRELM.TEST: pa_type: 2
[2010] 1504979429.430996: Storing selfservuser1(a)TESTRELM.TEST ->
krb5_ccache_conf_data/pa_type/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST(a)X-CACHECONF: in
KEYRING:persistent:0:0
Authenticated to Kerberos v5
Default principal: selfservuser1(a)TESTRELM.TEST
:: [ 13:50:29 ] :: kinit as selfservuser1 with new password passw0rd1 was successful.
--------------------------
Added user "selfservuser1"
--------------------------
User login: selfservuser1
First name: first
Last name: last
Full name: first last
Display name: first last
Initials: fl
Home directory: /home/selfservuser1
GECOS: first last
Login shell: /bin/sh
Principal name: selfservuser1(a)TESTRELM.TEST
Principal alias: selfservuser1(a)TESTRELM.TEST
Email address: selfservuser1(a)testrelm.test
UID: 1033600021
GID: 1033600021
Password: True
Member of groups: ipausers
Kerberos keys available: True
:: [ PASS ] :: add test user account (Expected 0, got 0)
:: [ BEGIN ] :: Running 'FirstKinitAs selfservuser1 dummy123(a)ipa.com
passw0rd1'
[2085] 1504880246.717409: Destroying ccache KEYRING:persistent:0:0
Using default cache: persistent:0:0
Using principal: selfservuser1(a)TESTRELM.TEST
[2087] 1504880246.723854: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2087] 1504880246.725923: Sending request (183 bytes) to TESTRELM.TEST
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.726052: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.726388: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.726467: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.728536: Received answer (186 bytes) from stream 10.16.68.129:88
[2087] 1504880246.728544: Terminating TCP connection to stream 10.16.68.129:88
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.728603: Response was from master KDC
[2087] 1504880246.728636: Received error from KDC: -1765328361/Password has expired
[2087] 1504880246.728655: Principal expired; getting changepw ticket
[2087] 1504880246.728661: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2087] 1504880246.728676: Setting initial creds service to kadmin/changepw
[2087] 1504880246.728693: Sending request (178 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.728709: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.728780: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.728811: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.730875: Received answer (308 bytes) from stream 10.16.68.129:88
[2087] 1504880246.730882: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.730906: Received error from KDC: -1765328359/Additional
pre-authentication required
[2087] 1504880246.730925: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[2087] 1504880246.730936: Selected etype info: etype aes256-cts, salt
"IW9`+Bl+'dxuYHbk", params ""
[2087] 1504880246.730939: Received cookie: MIT
[2087] 1504880246.730952: PKINIT client has no configured identity; giving up
[2087] 1504880246.730965: Preauth module pkinit (147) (info) returned: 0/Success
[2087] 1504880246.730971: PKINIT client has no configured identity; giving up
[2087] 1504880246.730982: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[2087] 1504880246.730987: PKINIT client has no configured identity; giving up
[2087] 1504880246.730991: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
[2087] 1504880246.730995: PKINIT client has no configured identity; giving up
[2087] 1504880246.730999: Preauth module pkinit (14) (real) returned: 22/Invalid
argument
Password for selfservuser1(a)TESTRELM.TEST:
[2087] 1504880246.740078: AS key obtained for encrypted timestamp: aes256-cts/499B
[2087] 1504880246.740125: Encrypted timestamp (for 1504880246.739952): plain
301AA011180F32303137303930383134313732365AA10502030B4A70, encrypted
B551CD21FE48C30DA246AB740E90048E2A38C4288EB6DEFD9D139937EFFACC074D1EDD786E1E201BB1690EF483BECD0EC98387E62DA2E274
[2087] 1504880246.740153: Preauth module encrypted_timestamp (2) (real) returned:
0/Success
[2087] 1504880246.740156: Produced preauth for next request: 133, 2
[2087] 1504880246.740169: Sending request (273 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.740201: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.740342: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.740393: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.743192: Received answer (744 bytes) from stream 10.16.68.129:88
[2087] 1504880246.743199: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.743233: Processing preauth types: 19
[2087] 1504880246.743240: Selected etype info: etype aes256-cts, salt
"IW9`+Bl+'dxuYHbk", params ""
[2087] 1504880246.743243: Produced preauth for next request: (empty)
[2087] 1504880246.743249: AS key determined by preauth: aes256-cts/499B
[2087] 1504880246.743285: Decrypted AS reply; session key is: aes256-cts/756D
[2087] 1504880246.743325: FAST negotiation: available
[2087] 1504880246.743360: Attempting password change; 3 tries remaining
Password expired. You must change it now.
Enter new password:
Enter it again:
[2087] 1504880246.743415: Creating authenticator for selfservuser1(a)TESTRELM.TEST ->
kadmin/changepw(a)TESTRELM.TEST, seqnum 0, subkey aes256-cts/583E, session key
aes256-cts/756D
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.743980: Resolving hostname ibm-x3650m4-01-vm-05.testrelm.test.
[2087] 1504880246.744368: Sending initial UDP request to dgram
2620:52:0:102f:5054:1ff:fe3c:e12d:464
[2087] 1504880246.813550: Received answer (248 bytes) from dgram
2620:52:0:102f:5054:1ff:fe3c:e12d:464
[2087] 1504880246.813683: Read AP-REP, time 1504880246.743419, subkey aes256-cts/583E,
seqnum 1071928275
[2087] 1504880246.813717: Getting initial TGT with changed password
[2087] 1504880246.813723: Getting initial credentials for selfservuser1(a)TESTRELM.TEST
[2087] 1504880246.813784: Sending request (183 bytes) to TESTRELM.TEST (master)
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] open failed [/var/lib/sss/pubconf/kdcinfo.TESTRELM.TEST][2][No such
file or directory].
[sssd_krb5_locator] get_krb5info failed.
[sssd_krb5_locator] sssd_krb5_locator_close called
[2087] 1504880246.813835: Resolving hostname kvm-02-guest23.testrelm.test
[2087] 1504880246.814002: Initiating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.814048: Sending TCP request to stream 10.16.68.129:88
[2087] 1504880246.816774: Received answer (186 bytes) from stream 10.16.68.129:88
[2087] 1504880246.816781: Terminating TCP connection to stream 10.16.68.129:88
[2087] 1504880246.816811: Received error from KDC: -1765328361/Password has expired
kinit: Password has expired while getting initial credentials
klist: Credentials cache keyring 'persistent:0:0' not found
:: [ 10:17:26 ] :: ERROR: kinit as selfservuser1 with new password passw0rd1 failed.
:: [ FAIL ] :: Command 'FirstKinitAs selfservuser1 dummy123(a)ipa.com
passw0rd1' (Expected 0, got 1)
_______________________________________________
sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org