[Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
Simo Sorce
simo at redhat.com
Wed Jan 20 14:45:01 UTC 2016
On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote:
> On 01/15/2016 06:29 PM, Martin Babinsky wrote:
> > On 01/15/2016 04:57 PM, Simo Sorce wrote:
> >> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
> >>> On 01/14/2016 10:31 PM, Simo Sorce wrote:
> >>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
> >>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
> >>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
> >>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
> >>>>>>>> https://fedorahosted.org/freeipa/ticket/5584
> >>>>>>>>
> >>>>>>> And the patch is here.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>> self-NACK, there may be a better way to handle this. I will do some
> >>>>>> investigation and send updated patch.
> >>>>>>
> >>>>> Attaching updated patch.
> >>>>
> >>>> A failure to obtain a tgt may be due to other reasons (for example the
> >>>> KDC crashed), why are you trying to use this test ?
> >>>> Isn't it sufficient to see there is no host entry in the directory ?
> >>>>
> >>>> Simo.
> >>>>
> >>> There were some corner cases I encountered, mostly concerning a cleanup
> >>> after unsuccessful replica promotion.
> >>>
> >>> You may sometimes end up in a state where local DS is working, but KDC
> >>> crashed and the krb5.conf is still pointing at a remote one. In that
> >>> case "malformed" replica's local host entry exist, but when such host
> >>> tries to get TGT, the AS-REQ goes to remote KDC from other master.
> >>>
> >>> However, if the admin had in the mean time cleaned up this host's
> >>> kerberos principals/keys, the crashed replica gets one of the following
> >>> errors:
> >>>
> >>> Client not found in Kerberos database
> >>> Client credentials have been revoked
> >>> Generic preauthentication failure
> >>>
> >>> These were printed out as errors during uninstall, but were actually
> >>> expected in situation like this. It is true that the code should check
> >>> and ignore these specific errors.
> >>
> >> Only the first id valid for your case, the others may be transient
> >> errors.
> >>
> >> Simo.
> >>
> >>
> > True, attaching updated patch. The other errors will now pop out in the
> > output and the warning will be displayed.
> >
> >
> >
> Bump for review.
>
LGTM
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list