Issue 752921 link

Starred by 2 users

Issue metadata

Status:	WontFix
Owner:	rsorokin@chromium.org
Closed:	Jun 2018
Components:	Enterprise
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Bug
Enterprise-Triaged Chromad

Initial auth doesn't give proper feedback

Project Member Reported by ljusten@chromium.org, Aug 7 2017

Issue description

Display some error for ERROR_KINIT_FAILED (error 8).

Repro:

Try auth with valid username, but invalid realm, e.g. lutz@b.com on chromeadm-lab.com.


2017-08-07T12:36:30.220917+00:00 INFO authpolicyd[3752]: Executing /usr/bin/net 'ads' 'workgroup' '-s' '/tmp/authpolicyd/smb.conf' '-d' '10'
2017-08-07T12:36:30.385424+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:30.385669+00:00 INFO authpolicyd[3752]: Executing /usr/sbin/authpolicy_parser 'parse_workgroup' 'GAEgASgBOAFAAVICMTA='
2017-08-07T12:36:30.405302+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:30.405568+00:00 INFO authpolicyd[3752]: Executing /usr/bin/net 'ads' 'info' '-s' '/tmp/authpolicyd/smb.conf' '-d' '10'
2017-08-07T12:36:30.736933+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:30.737325+00:00 INFO authpolicyd[3752]: Executing /usr/sbin/authpolicy_parser 'parse_realm_info' 'GAEgASgBOAFAAVICMTA='
2017-08-07T12:36:30.758696+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:30.759059+00:00 INFO authpolicyd[3752]: Executing /usr/bin/kinit '<MACHINE_NAME>$@<REALM>' '-k' '-l' '1d' '-r' '7d'
2017-08-07T12:36:30.836135+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:30.836578+00:00 INFO authpolicyd[3752]: Executing /usr/bin/net 'ads' 'search' '(sAMAccountName=<USER_SAM_ACCOUNT_NAME>)' 'objectGUID' 'sAMAccountName' 'cn' 'displayName' 'givenName' 'pwdLastSet' 'userAccountControl' '-s' '/tmp/authpolicyd/smb.conf' '-d' '10'
2017-08-07T12:36:31.350326+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:31.350684+00:00 INFO authpolicyd[3752]: Executing /usr/sbin/authpolicy_parser 'parse_account_info' 'GAEgASgBOAFAAVICMTA='
2017-08-07T12:36:31.374480+00:00 INFO authpolicyd[3752]: Exit code: 0
2017-08-07T12:36:31.374803+00:00 INFO authpolicyd[3752]: Executing /usr/bin/kinit '<USER_<REALM>MON_NAME>@<REALM>' '-l' '1d' '-r' '7d'
2017-08-07T12:36:31.403725+00:00 INFO authpolicyd[3752]: libminijail[2]: child process 13 exited with status 1
2017-08-07T12:36:31.403783+00:00 INFO authpolicyd[3752]: /usr/bin/kinit stdout: 
2017-08-07T12:36:31.403800+00:00 INFO authpolicyd[3752]: /usr/bin/kinit stderr: kinit: Realm not local to KDC while getting initial credentials#012
2017-08-07T12:36:31.403808+00:00 INFO authpolicyd[3752]: Exit code: 1
2017-08-07T12:36:31.404012+00:00 INFO authpolicyd[3752]: Kinit trace: 
2017-08-07T12:36:31.404029+00:00 INFO authpolicyd[3752]:   [13] 1502109391.380349: Getting initial credentials for <USER_<REALM>MON_NAME>@<REALM>
2017-08-07T12:36:31.404040+00:00 INFO authpolicyd[3752]:   [13] 1502109391.383552: Sending request (157 bytes) to <REALM>
2017-08-07T12:36:31.404050+00:00 INFO authpolicyd[3752]:   [13] 1502109391.383609: Resolving hostname 35.187.70.179
2017-08-07T12:36:31.404061+00:00 INFO authpolicyd[3752]:   [13] 1502109391.383738: Sending initial UDP request to dgram 35.187.70.179:88
2017-08-07T12:36:31.404073+00:00 INFO authpolicyd[3752]:   [13] 1502109391.398714: Received answer (82 bytes) from dgram 35.187.70.179:88
2017-08-07T12:36:31.404084+00:00 INFO authpolicyd[3752]:   [13] 1502109391.400989: Response was not from master KDC
2017-08-07T12:36:31.404097+00:00 INFO authpolicyd[3752]:   [13] 1502109391.401018: Received error from KDC: -1765328316/Realm not local to KDC
2017-08-07T12:36:31.404110+00:00 INFO authpolicyd[3752]:   [13] 1502109391.401035: Retrying AS request with master KDC
2017-08-07T12:36:31.404121+00:00 INFO authpolicyd[3752]:   [13] 1502109391.401041: Getting initial credentials for <USER_<REALM>MON_NAME>@<REALM>
2017-08-07T12:36:31.404133+00:00 INFO authpolicyd[3752]:   [13] 1502109391.401098: Sending request (157 bytes) to <REALM> (master)
2017-08-07T12:36:31.404153+00:00 ERR authpolicyd[3752]: kinit failed with exit code 1
2017-08-07T12:36:31.404230+00:00 INFO authpolicyd[3752]: Firing signal UserKerberosFilesChanged
2017-08-07T12:36:31.404372+00:00 INFO authpolicyd[3752]: AuthenticateUser failed with code 8

Comment 1 by rsorokin@chromium.org, Sep 28 2017

Owner: ljusten@chromium.org

Per offline discussion: We should handle kinit: Realm not local to KDC while getting initial credentials#012 with a new error

Comment 2 by ljusten@chromium.org, Oct 18 2017

Owner: rsorokin@chromium.org

Comment 3 by ljusten@chromium.org, Oct 18 2017

Labels: M-64 Pri-1

Comment 4 by ljusten@chromium.org, Oct 18 2017

Labels: Pri-2

Comment 5 by rsorokin@chromium.org, Oct 20 2017

Message "Realm not local to KDC" is actually because of the bug. We use IP addresses for realm machine joined to. Not the user one. This should be fixed in multidomain feature.

Comment 6 by rsorokin@chromium.org, Nov 15 2017

Labels: -M-64

Comment 7 by rsorokin@chromium.org, Jun 6 2018

Status: WontFix (was: Assigned)

Obsolete

►

Issue 752921 link

Issue metadata

Initial auth doesn't give proper feedback

Issue description

Comment 1 by rsorokin@chromium.org, Sep 28 2017

Comment 1 Deleted

Comment 2 by ljusten@chromium.org, Oct 18 2017

Comment 2 Deleted

Comment 3 by ljusten@chromium.org, Oct 18 2017

Comment 3 Deleted

Comment 4 by ljusten@chromium.org, Oct 18 2017

Comment 4 Deleted

Comment 5 by rsorokin@chromium.org, Oct 20 2017

Comment 5 Deleted

Comment 6 by rsorokin@chromium.org, Nov 15 2017

Comment 6 Deleted

Comment 7 by rsorokin@chromium.org, Jun 6 2018

Comment 7 Deleted

Sign in to add a comment