freeipa/install/share
Stanislav Levin 93126e01a5 krb5: Pin kpasswd server to a primary one
There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.

Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)

So, `kpasswd_server` serves as fallback for the offlined locator.

Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.

Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 10:16:54 +02:00
..
advise Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16 09:12:07 +01:00
profiles Add SHA384withRSA as a certificate signing algorithm 2021-07-09 13:21:00 -04:00
schema.d Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
05rfc2247.ldif Remove references to GPL v2.0 license 2015-02-20 15:40:42 +01:00
15rfc2307bis.ldif Add formerly update-only schema 2013-11-18 16:54:21 +01:00
15rfc4876.ldif Add formerly update-only schema 2013-11-18 16:54:21 +01:00
60basev2.ldif Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00
60basev3.ldif LDAP schema: new attribute ipaautoprivategroups 2021-04-19 17:14:23 +02:00
60basev4.ldif Redesign subid feature 2021-07-09 09:47:30 -04:00
60certificate-profiles.ldif Add 'ca' plugin 2016-06-15 07:13:38 +02:00
60ipaconfig.ldif Fix oid of ipaUserDefaultSubordinateId 2021-07-09 09:47:30 -04:00
60ipadns.ldif DNS: Support URI resource record type 2016-10-11 16:48:47 +02:00
60ipapk11.ldif DNSSEC: schema 2014-10-21 12:23:03 +02:00
60kerberos.ldif Add Authentication Indicator Kerberos ticket policy options 2019-11-21 11:13:12 -05:00
60samba.ldif Make schema files conform to new updater 2013-11-18 16:54:21 +01:00
61kerberos-ipav3.ldif mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema 2016-06-23 09:48:06 +02:00
65ipacertstore.ldif Add LDAP schema for certificate store. 2014-07-30 16:04:21 +02:00
65ipasudo.ldif Update X-ORIGIN for 4.0 2014-07-01 13:57:06 +02:00
70ipaotp.ldif Revert "Make all ipatokenTOTP attributes mandatory" 2015-01-21 09:20:15 +01:00
70topology.ldif handle multiple managed suffixes 2015-10-15 14:24:33 +02:00
71idviews.ldif idviews: Add user certificate attribute to user ID overrides 2016-05-06 07:12:01 +02:00
72domainlevels.ldif Add Domain Level feature 2015-05-26 11:59:47 +00:00
73certmap.ldif Add altSecurityIdentities attribute from MS-WSPP schema definition 2019-07-17 17:50:07 +03:00
anon-princ-aci.ldif Use Anonymous user to obtain FAST armor ccache 2017-02-15 07:13:37 +01:00
automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
bind.ipa-ext.conf.template Overhaul bind upgrade process 2020-06-10 16:07:07 +02:00
bind.ipa-logging-ext.conf.template BIND: Setup logging 2021-05-25 10:45:49 +03:00
bind.ipa-options-ext.conf.template Overhaul bind upgrade process 2020-06-10 16:07:07 +02:00
bind.named.conf.template LDAP autobind authenticateAsDN for BIND named 2021-06-15 14:13:16 +03:00
bind.openssl.cnf.template named: Allow using of a custom OpenSSL engine for BIND 2020-08-31 09:42:31 +03:00
bind.openssl.cryptopolicy.cnf.template named: Include crypto policy in openssl config 2020-08-31 09:42:31 +03:00
bootstrap-template.ldif Fix ipa-server-upgrade 2021-07-09 09:47:30 -04:00
ca-topology.uldif Revert "upgrade: add replica bind DN group check interval to CA topology config" 2016-12-09 15:47:13 +01:00
certmap.conf.template Define template version in certmap.conf 2017-03-01 12:46:50 +01:00
custodia.conf.template Fix Custodia imports 2021-06-16 10:28:17 -04:00
default-aci.ldif Add group membership management 2019-11-11 09:31:14 +01:00
default-hbac.ldif Fix systemd-user HBAC rule 2019-01-15 14:29:22 -05:00
default-smb-group.ldif Change DNA magic value to -1 to make UID 999 usable 2013-03-11 17:07:07 +01:00
default-trust-view.ldif idviews: Add Default Trust View as part of adtrustinstall 2014-09-30 10:42:06 +02:00
delegation.ldif DNS Locations: Always create DNS related privileges 2016-06-03 15:58:21 +02:00
dna.ldif Use 389-DS' dnaInterval setting to assign intervals 2021-07-09 09:47:30 -04:00
dns.ldif Allow hosts to read DNS records for IP SAN 2020-03-16 13:04:17 +01:00
dnssec.ldif DNSSEC: DNS key synchronization daemon 2014-10-21 12:23:03 +02:00
domainlevel.ldif Add Domain Level feature 2015-05-26 11:59:47 +00:00
ds-ipa-env.conf.template Set client keytab location for 389ds 2021-01-13 21:31:31 +02:00
ds-nfiles.ldif Autotune directory server to use a greater number of files 2010-11-22 12:42:16 -05:00
entryusn.ldif Address entryusn initialization on replica installation 2011-01-28 13:58:43 -05:00
freeipa-server.template Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
gssapi.login Change session handling 2017-02-15 07:13:37 +01:00
gssproxy.conf.template gssproxy: Don't refresh expired delegated credentials 2021-06-12 11:19:25 +03:00
host_nis_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
ipa-httpd-wsgi.conf.template Replace wsgi package conflict with config file 2018-02-09 08:28:11 +01:00
ipa-httpd.conf.template Require UTF-8 fs encoding 2017-11-21 16:13:28 +01:00
ipa-kdc-proxy.conf.template Better mod_wsgi configuration 2021-04-07 11:43:23 +03:00
ipa-pki-proxy.conf.template acme: ipa-pki-proxy: proxy /acme to Dogtag 2020-07-10 08:33:22 -04:00
ipa-rewrite.conf.template Allow Apache to answer to ipa-ca requests without a redirect 2020-12-02 14:05:36 +02:00
ipa.conf.template Better mod_wsgi configuration 2021-04-07 11:43:23 +03:00
ipaca_customize.ini Configure PKI AJP Secret with 256-bit secret 2020-06-23 09:20:24 +02:00
ipaca_default.ini Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
ipaca_softhsm2.ini Add pki.ini override option 2019-04-10 13:43:23 +02:00
ipakrb5.aug install: introduce generic Kerberos Augeas lens 2017-05-19 12:31:24 +02:00
kdc_extensions.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc_req.conf.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc.conf.template Add new authentication indicators in kdc.conf.template 2019-09-10 12:33:21 +03:00
kdcproxy-disable.uldif Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
kdcproxy-enable.uldif Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
kdcproxy.conf Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
kdcproxy.wsgi Replace hard-coded kdcproxy path with WSGI script 2017-04-12 13:05:23 +02:00
kerberos.ldif Enable AES SHA 256 and 384-bit enctypes in Kerberos 2019-11-04 09:45:07 -05:00
krb5.conf.template krb5: Pin kpasswd server to a primary one 2021-09-15 10:16:54 +02:00
krb5.ini.template Set master_kdc and dns_lookup_kdc to true 2012-09-19 20:47:12 -04:00
krb.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krbrealm.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
ldbm-tuning.ldif Fix nsslapd-db-lock tuning of BDB backend 2020-09-24 17:03:00 +02:00
Makefile.am Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00
managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
master-entry.ldif Add Domain Level feature 2015-05-26 11:59:47 +00:00
memberof-conf.ldif Redesign subid feature 2021-07-09 09:47:30 -04:00
memberof-task.ldif Wait for memberof task and DS to start before proceeding in installation. 2011-04-22 11:43:50 +02:00
memcache-remove.uldif Change session handling 2017-02-15 07:13:37 +01:00
modrdn-krbprinc.ldif add krbCanonicalName to attributes watched by MODRDN plugin 2016-06-23 09:48:06 +02:00
nis-update.uldif Upgrade: Fix upgrade of NIS Server configuration 2016-01-11 09:45:54 +01:00
nis.uldif Enable transactions by default, make password and modrdn TXN-aware 2012-11-21 14:55:12 +01:00
opendnssec_conf.template Remove the <Interval> from opendnssec conf 2020-03-12 21:48:25 +01:00
opendnssec_kasp.template DNSSEC: update OpenDNSSEC KASP configuration 2015-05-19 12:50:56 +00:00
pki-acme-configsources.conf.template Add versions to the ACME config templates and update on upgrade 2021-02-15 09:57:07 +02:00
pki-acme-database.conf.template Add versions to the ACME config templates and update on upgrade 2021-02-15 09:57:07 +02:00
pki-acme-engine.conf.template Add versions to the ACME config templates and update on upgrade 2021-02-15 09:57:07 +02:00
pki-acme-issuer.conf.template Add versions to the ACME config templates and update on upgrade 2021-02-15 09:57:07 +02:00
pki-acme-realm.conf.template Add versions to the ACME config templates and update on upgrade 2021-02-15 09:57:07 +02:00
pw-logging-conf.ldif Switch nsslapd-unhashed-pw-switch to nolog 2019-05-24 12:42:51 +02:00
referint-conf.ldif Update referential integrity config for DS 1.3.3 2014-09-12 17:42:08 +02:00
replica-acis.ldif Update ACIs with the correct syntax 2020-05-04 20:49:23 +02:00
replica-automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
replica-prevent-time-skew.ldif ds: ignore time skew during initial replication step 2017-10-19 17:48:58 +03:00
repoint-managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
sasl-mapping-fallback.ldif Enable SASL mapping fallback. 2013-06-27 17:06:51 +02:00
schema-update.ldif Fix nsslapdPlugin object class after initial replication. 2013-09-10 09:49:43 +02:00
smb.conf.empty Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
smb.conf.registry.template Update samba configuration on IPA master to explicitly use 'server role' setting 2021-02-04 14:19:16 +01:00
smb.conf.template Write state dir to smb.conf 2020-07-30 11:38:25 +02:00
sudobind.ldif Create default disabled sudo bind user 2011-02-23 15:32:24 -05:00
topology-entries.ldif rename topology suffixes to "domain" and "ca" 2015-12-04 12:59:21 +01:00
unique-attributes.ldif Server Upgrade: Fix uniqueness plugins 2015-05-19 12:45:41 +00:00
user_private_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
uuid.ldif DNSSEC: DNS key synchronization daemon 2014-10-21 12:23:03 +02:00
vault.ldif install: support KRA update 2015-09-17 14:55:54 +02:00
wsgi.py Improve wsgi app loading 2021-04-07 11:43:23 +03:00