[Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
Martin Babinsky
mbabinsk at redhat.com
Wed Jan 20 08:42:10 UTC 2016
On 01/15/2016 06:29 PM, Martin Babinsky wrote:
> On 01/15/2016 04:57 PM, Simo Sorce wrote:
>> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
>>> On 01/14/2016 10:31 PM, Simo Sorce wrote:
>>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
>>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
>>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
>>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
>>>>>>>> https://fedorahosted.org/freeipa/ticket/5584
>>>>>>>>
>>>>>>> And the patch is here.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> self-NACK, there may be a better way to handle this. I will do some
>>>>>> investigation and send updated patch.
>>>>>>
>>>>> Attaching updated patch.
>>>>
>>>> A failure to obtain a tgt may be due to other reasons (for example the
>>>> KDC crashed), why are you trying to use this test ?
>>>> Isn't it sufficient to see there is no host entry in the directory ?
>>>>
>>>> Simo.
>>>>
>>> There were some corner cases I encountered, mostly concerning a cleanup
>>> after unsuccessful replica promotion.
>>>
>>> You may sometimes end up in a state where local DS is working, but KDC
>>> crashed and the krb5.conf is still pointing at a remote one. In that
>>> case "malformed" replica's local host entry exist, but when such host
>>> tries to get TGT, the AS-REQ goes to remote KDC from other master.
>>>
>>> However, if the admin had in the mean time cleaned up this host's
>>> kerberos principals/keys, the crashed replica gets one of the following
>>> errors:
>>>
>>> Client not found in Kerberos database
>>> Client credentials have been revoked
>>> Generic preauthentication failure
>>>
>>> These were printed out as errors during uninstall, but were actually
>>> expected in situation like this. It is true that the code should check
>>> and ignore these specific errors.
>>
>> Only the first id valid for your case, the others may be transient
>> errors.
>>
>> Simo.
>>
>>
> True, attaching updated patch. The other errors will now pop out in the
> output and the warning will be displayed.
>
>
>
Bump for review.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list