[Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
Martin Basti
mbasti at redhat.com
Thu Jan 21 17:14:12 UTC 2016
On 20.01.2016 15:45, Simo Sorce wrote:
> On Wed, 2016-01-20 at 09:42 +0100, Martin Babinsky wrote:
>> On 01/15/2016 06:29 PM, Martin Babinsky wrote:
>>> On 01/15/2016 04:57 PM, Simo Sorce wrote:
>>>> On Fri, 2016-01-15 at 13:35 +0100, Martin Babinsky wrote:
>>>>> On 01/14/2016 10:31 PM, Simo Sorce wrote:
>>>>>> On Wed, 2016-01-13 at 17:31 +0100, Martin Babinsky wrote:
>>>>>>> On 01/13/2016 10:31 AM, Martin Babinsky wrote:
>>>>>>>> On 01/07/2016 05:38 PM, Martin Babinsky wrote:
>>>>>>>>> On 01/07/2016 05:37 PM, Martin Babinsky wrote:
>>>>>>>>>> https://fedorahosted.org/freeipa/ticket/5584
>>>>>>>>>>
>>>>>>>>> And the patch is here.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> self-NACK, there may be a better way to handle this. I will do some
>>>>>>>> investigation and send updated patch.
>>>>>>>>
>>>>>>> Attaching updated patch.
>>>>>> A failure to obtain a tgt may be due to other reasons (for example the
>>>>>> KDC crashed), why are you trying to use this test ?
>>>>>> Isn't it sufficient to see there is no host entry in the directory ?
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>> There were some corner cases I encountered, mostly concerning a cleanup
>>>>> after unsuccessful replica promotion.
>>>>>
>>>>> You may sometimes end up in a state where local DS is working, but KDC
>>>>> crashed and the krb5.conf is still pointing at a remote one. In that
>>>>> case "malformed" replica's local host entry exist, but when such host
>>>>> tries to get TGT, the AS-REQ goes to remote KDC from other master.
>>>>>
>>>>> However, if the admin had in the mean time cleaned up this host's
>>>>> kerberos principals/keys, the crashed replica gets one of the following
>>>>> errors:
>>>>>
>>>>> Client not found in Kerberos database
>>>>> Client credentials have been revoked
>>>>> Generic preauthentication failure
>>>>>
>>>>> These were printed out as errors during uninstall, but were actually
>>>>> expected in situation like this. It is true that the code should check
>>>>> and ignore these specific errors.
>>>> Only the first id valid for your case, the others may be transient
>>>> errors.
>>>>
>>>> Simo.
>>>>
>>>>
>>> True, attaching updated patch. The other errors will now pop out in the
>>> output and the warning will be displayed.
>>>
>>>
>>>
>> Bump for review.
>>
> LGTM
> Simo.
>
ACK
Pushed to:
master: d726da3ba20283ffdc1d384dfedf8e6a732dc3d7
ipa-4-3: 4f0266f925207ca705b45287744b3e609d841cc6
More information about the Freeipa-devel
mailing list