Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1229430

Summary: [abrt] freeipa-server: ipautil.py:1208:kinit_hostprincipal:StandardError: Error initializing principal ipa-dnskeysyncd/bramha.gaans.in in /etc/ipa/dnssec/ipa-dnskeysyncd.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')
Product: [Fedora] Fedora Reporter: Sambit Gaan <sambit.gaan>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: abokovoy, ipa-maint, mkosek, pspacek, pvoborni, rcritten, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/d995d4a56728f4aeae7323ee16a7c4e4b842ae01
Whiteboard: abrt_hash:dc3f5559cc4f1cfab3a1e66b52a7e7835ed87ea3
Fixed In Version: freeipa-4.2.2-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-11 16:02:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: environ none

Description Sambit Gaan 2015-06-08 17:43:24 UTC 
Version-Release number of selected component:
freeipa-server-4.1.4-1.fc21

Additional info:
reporter:       libreport-2.3.0
cmdline:        /usr/bin/python /usr/libexec/ipa/ipa-dnskeysyncd
dso_list:       freeipa-python-4.1.4-1.fc21.i686
executable:     /usr/libexec/ipa/ipa-dnskeysyncd
kernel:         3.19.5-200.fc21.i686+PAE
runlevel:       unknown
type:           Python
uid:            978

Truncated backtrace:
ipautil.py:1208:kinit_hostprincipal:StandardError: Error initializing principal ipa-dnskeysyncd/bramha.gaans.in in /etc/ipa/dnssec/ipa-dnskeysyncd.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')

Traceback (most recent call last):
  File "/usr/libexec/ipa/ipa-dnskeysyncd", line 68, in <module>
    ipautil.kinit_hostprincipal(KEYTAB_FB, WORKDIR, PRINCIPAL)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1208, in kinit_hostprincipal
    raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
StandardError: Error initializing principal ipa-dnskeysyncd/bramha.gaans.in in /etc/ipa/dnssec/ipa-dnskeysyncd.keytab: (-1765328228, 'Cannot contact any KDC for requested realm')

Local variables in innermost frame:
ccachedir: '/tmp'
e: Krb5Error(-1765328228, 'Cannot contact any KDC for requested realm')
princ: <krb5.Principal instance at 0xb6777eac: ipa-dnskeysyncd/bramha.gaans.in>
krbcontext: <krbV.Context instance at 0xb632f0cc>
ccache: <krbV.CCache instance at 0xb66d6f4c>
ccache_file: 'FILE:/tmp/ccache'
keytab: '/etc/ipa/dnssec/ipa-dnskeysyncd.keytab'
ktab: <krbV.Keytab instance at 0xb6471c8c>
principal: 'ipa-dnskeysyncd/bramha.gaans.in'
Comment 1 Sambit Gaan 2015-06-08 17:43:29 UTC 
Created attachment 1036449 [details]
File: backtrace
Comment 2 Sambit Gaan 2015-06-08 17:43:30 UTC 
Created attachment 1036450 [details]
File: environ
Comment 3 Petr Vobornik 2015-06-10 11:40:39 UTC 
KDC could have been down, or there was something wrong with network setup, if the target KDC was on different server, so that KDC could not be contacted. 

This situation might happen. But should be rare because the ipa-dnskeysyncd service failed on it's initialization which should happen shortly after KDC is started(assuming it's started by 'ipactl start')

The wrong thing here is that the daemon fails with a traceback. It should exit more gracefully.

We would need more information if this issue happens regularly to fix the root cause.
Comment 4 Petr Vobornik 2015-06-17 15:27:16 UTC 
ipa-dnskeysyncd was meant as a temporary tool which will be replaced soon. Therefore a fix is not planned.
Comment 5 Martin Kosek 2015-06-18 06:49:58 UTC 
WONTFIX is a better result I think, given no upstream ticket was opened.
Comment 6 Petr Spacek 2015-06-23 12:20:18 UTC 
Apparently this happens a lot so we should fix it:
http://retrace.fedoraproject.org/faf/reports/bthash/d995d4a56728f4aeae7323ee16a7c4e4b842ae01/
Comment 7 Petr Vobornik 2015-06-24 12:38:27 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/33bc9e7faca55497e00a3f6c08f4bff7262e290c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/6f9d16fd0014427db223fe82f021b12f4db2fe37
Comment 8 Fedora Update System 2015-10-09 13:55:30 UTC 
freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update freeipa'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-4abcc8b937
Comment 9 Fedora Update System 2015-10-11 16:02:29 UTC 
freeipa-4.2.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.