On Mon, Feb 13, 2017 at 01:01:54PM -0500, Michael Smith wrote:
On Mon, Feb 13, 2017 at 4:05 AM, Jakub Hrozek
<jhrozek(a)redhat.com> wrote:
> On Fri, Feb 10, 2017 at 02:23:24PM -0500, Michael Smith wrote:
>
> > But when I enter my password with sudo, I can see in krb5_child.log that
> > it's cycling through all the DCs twice, first for UDP and then for TCP.
> So
> > it's ignoring the locator information and the udp_preference_limit as
> well.
> >
> > I'm on Ubuntu 16.04 LTS, with sssd 1.13.4 and libkrb5-3 1.13.2.
> >
> > /var/lib/sss/pubconf/kdcinfo.MYDOMAIN is pointing to the correct IP.
> > In /var/lib/sss/pubconf/krb5.include.d/localauth_plugin I see:
> >
> > [plugins]
> > localauth = {
> > module =
> > sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_
> localauth_plugin.so
> > enable_only = sssd
> > }
> >
>
> Could you test the same with KRB5_TRACE=/dev/stderr kinit and also perhaps
> with strace kinit to see if the locator file is opened at all and there
> are e.g. no permission errors while SSSD is opening the kdcinfo file?
Thanks for the tip - I can see in strace that Kerberos is looking for
plugins in /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5:
open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5",
O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or
directory)
But sssd_krb5_locator_plugin.so is in
/usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 (last component is krb5 instead
of libkrb5).
If I copy the krb5 directory to libkrb5, strace shows the plugin is loaded,
the kdcinfo file is read, and kinit is talking to my local DC first.
Would I be correct in thinking this is an Ubuntu packaging issue?
Perhaps, but I'm not a Ubuntu developer, so I'm not sure I can comment
more. I'll just note that there is a configure time option called
"--with-pubconf-path=PATH" in SSSD that allows to tweak where the files
are stored.
I'd recommend to open a bug at Launchpad for Ubuntu..