[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

Martin Babinsky mbabinsk at redhat.com
Mon Mar 23 11:48:02 UTC 2015 

On 03/17/2015 06:00 PM, Simo Sorce wrote:
> On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote:
>> On 03/16/2015 12:15 PM, Martin Kosek wrote:
>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote:
>>>> Attaching the next iteration of patches.
>>>>
>>>> I have tried my best to reword the ipa-client-install man page bit about the
>>>> new option. Any suggestions to further improve it are welcome.
>>>>
>>>> I have also slightly modified the 'kinit_keytab' function so that in Kerberos
>>>> errors are reported for each attempt and the text of the last error is retained
>>>> when finally raising exception.
>>>
>>> The approach looks very good. I think that my only concern with this patch is
>>> this part:
>>>
>>> +            ccache.init_creds_keytab(keytab=ktab, principal=princ)
>>> ...
>>> +        except krbV.Krb5Error as e:
>>> +            last_exc = str(e)
>>> +            root_logger.debug("Attempt %d/%d: failed: %s"
>>> +                              % (attempt, attempts, last_exc))
>>> +            time.sleep(1)
>>> +
>>> +    root_logger.debug("Maximum number of attempts (%d) reached"
>>> +                      % attempts)
>>> +    raise StandardError("Error initializing principal %s: %s"
>>> +                        % (principal, last_exc))
>>>
>>> The problem here is that this function will raise the super-generic
>>> StandardError instead of the proper with all the context and information about
>>> the error that the caller can then process.
>>>
>>> I think that
>>>
>>>       except krbV.Krb5Error as e:
>>>           if attempt == max_attempts:
>>>               log something
>>>               raise
>>>
>>> would be better.
>>>
>>
>> Yes that seems reasonable. I'm just thinking whether we should re-raise
>> Krb5Error or raise ipalib.errors.KerberosError? the latter options makes
>> more sense to me as we would not have to additionally import Krb5Error
>> everywhere and it would also make the resulting errors more consistent.
>>
>> I am thinking about someting like this:
>>
>>       except krbV.Krb5Error as e:
>>          if attempt == attempts:
>>              # log that we have reaches maximum number of attempts
>>              raise KerberosError(minor=str(e))
>>
>> What do you think?
>
> Are you retrying on any error ?
> Please do *not* do that, if you retry many times on an error that
> indicates the password is wrong you may end up locking an administrative
> account. If you want to retry you should do it only for very specific
> timeout errors.
>
> Simo.
>
>
I have taken a look at the logs attached to the original BZ 
(https://bugzilla.redhat.com/show_bug.cgi?id=1161722).

In ipaclient-install.log the kinit error is:

"Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial 
credentials"

which can be translated to krbV.KRB5_KDC_UNREACH error. However, 
krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors 
which are seemingly unrelated to the root cause (kinit timing out on 
getting host TGT).

Thus I'm not quite sure which errors should we chceck against in this 
case, anyone care to advise? These are potential candidates:

KRB5KDC_ERR_SVC_UNAVAILABLE, "A service is not available that is 
required to process the request"
KRB5KRB_ERR_RESPONSE_TOO_BIG,    "Response too big for UDP, retry with TCP"
KRB5_REALM_UNKNOWN,      "Cannot find KDC for requested realm"
KRB5_KDC_UNREACH,        "Cannot contact any KDC for requested realm"

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list