Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 180718 - failure to find a master kdc masks an error returned from a non-master
Summary: failure to find a master kdc masks an error returned from a non-master
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 180671
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2006-02-09 20:29 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-09 21:54:41 UTC


Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-02-09 20:29:44 UTC
+++ This bug was initially created as a clone of Bug #180671 +++

Description of problem:

The krb5 client library returns an unexpected error when a lookup fails:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Cannot find KDC for
requested realm.

When adding the following to the krb5.conf, the error message changes:

  master_kdc = kerberos.corp.redhat.com

The error returned is now this:

$ ./ldap_krb5
DEBUG realm REDHAT.COM
DEBUG in_tkt: krbtgt/REDHAT.COM@REDHAT.COM
CRIT lookup(ldap): krb5_get_init_creds_keytab failed with Client not found in
Kerberos database.

Version-Release number of selected component (if applicable):
krb5-devel-1.3.4-9

How reproducible:
100%

Steps to Reproduce:
Install the following krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
 }

 REDHAT.COM = {
  kdc = kerberos.boston.redhat.com:88
  admin_server = kerberos.corp.redhat.com:749
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Then, try to lookup a principal that doesn't exist, such as
host/segfault.boston.redhat.com@REDHAT.COM.  This can be reproduced by issuing
the following command on segfault:

$ kinit -k

If the following is specified, in the krb5.conf, then the "correct" error is
returned:

  master_kdc = kerberos.corp.redhat.com

$ kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials

Comment 1 Nalin Dahyabhai 2006-02-09 21:54:23 UTC
Looks like I can't reproduce this on Raw Hide, after all.


Note You need to log in before you can comment on or make changes to this bug.