mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
93126e01a5
There are time gaps in which kinit requests may fail due to offlined SSSD's locator and replication delays. Since `IPA` provider or SSSD offline the locator plugin for libkrb5 (man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`. `krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order and kinit may contact either master or replica kpasswd servers. This may result in a password was changed on a replica but was not replicated to master: master(kinit)->master(initial)->replica(kpasswd)->master(can't obtain initial creds with new password) So, `kpasswd_server` serves as fallback for the offlined locator. Note: primary_kdc(the former master_kdc) doesn't help here because it is only used if the initial credentials obtaining fails (see `krb5_get_init_creds_password` in libkrb5) and not a password change. Fixes: https://pagure.io/freeipa/issue/8353 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
44 lines
829 B
Plaintext
44 lines
829 B
Plaintext
$INCLUDES
|
|
includedir /var/lib/sss/pubconf/krb5.include.d/
|
|
|
|
[logging]
|
|
default = FILE:/var/log/krb5libs.log
|
|
kdc = FILE:/var/log/krb5kdc.log
|
|
admin_server = FILE:/var/log/kadmind.log
|
|
|
|
[libdefaults]
|
|
default_realm = $REALM
|
|
dns_lookup_realm = false
|
|
dns_lookup_kdc = true
|
|
rdns = false
|
|
ticket_lifetime = 24h
|
|
forwardable = true
|
|
udp_preference_limit = 0
|
|
$OTHER_LIBDEFAULTS
|
|
[realms]
|
|
$REALM = {
|
|
kdc = $FQDN:88
|
|
master_kdc = $FQDN:88
|
|
kpasswd_server = $FQDN:464
|
|
admin_server = $FQDN:749
|
|
default_domain = $DOMAIN
|
|
pkinit_anchors = FILE:$KDC_CA_BUNDLE_PEM
|
|
pkinit_pool = FILE:$CA_BUNDLE_PEM
|
|
}
|
|
|
|
[domain_realm]
|
|
.$DOMAIN = $REALM
|
|
$DOMAIN = $REALM
|
|
$FQDN = $REALM
|
|
$OTHER_DOMAIN_REALM_MAPS
|
|
[dbmodules]
|
|
$REALM = {
|
|
db_library = ipadb.so
|
|
}
|
|
|
|
[plugins]
|
|
certauth = {
|
|
module = ipakdb:kdb/ipadb.so
|
|
enable_only = ipakdb
|
|
}
|