Sssd-maintainers June 2022

sssd-maintainers@lists.fedoraproject.org

1 participants
13 discussions

[Bug 2095102] New: SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log
by bugzilla＠redhat.com 09 Jun '22

09 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=2095102 Bug ID: 2095102 Summary: SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: plarsen(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: This issue is replicated in this BZ: https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1857082.h… After updating to sssd to 2.7.1-1 logins using GDM to an IPA user fails. Error in krb5_child.log: * (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_responder] (0x4000): [RID#22] Got question [password]. * (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_expire_callback_func] (0x2000): [RID#22] exp_time: [10364636] * (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x2000): [RID#22] Found keytab entry with the realm of the credential. * (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0400): [RID#22] TGT verified using key for [host/boss.peterlarsen.org(a)PETERLARSEN.ORG] * (2022-06-08 23:28:04): [krb5_child[4535]] [sss_extract_pac] (0x0040): [RID#22] No PAC authdata available. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC check failed for principal [peter(a)PETERLARSEN.ORG] (2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC check failed for principal [peter(a)PETERLARSEN.ORG] * (2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22] 2045: [1432158308][Unknown code UUz 100] ********************** BACKTRACE DUMP ENDS HERE ********************************* Version-Release number of selected component (if applicable): 2.7.1-1 How reproducible: Constant Steps to Reproduce: 1. Update from 2.7.0-1 to 2.7.1-1 2. 3. Actual results: Login via GDM not possible Expected results: Login working Additional info: Downgrading to 2.7.0-1 allowed GDM to work again. Note, applying https://access.redhat.com/solutions/2210951 did not resolve the issue. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2095102

1 2

[Bug 2094948] New: Unable to log in to accounts from CentOS 7 FreeIPA Server
by bugzilla＠redhat.com 09 Jun '22

09 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=2094948 Bug ID: 2094948 Summary: Unable to log in to accounts from CentOS 7 FreeIPA Server Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: mheon(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: I have a CentOS 7 FreeIPA server (ipa-server-4.6.8-5.el7.centos.10.x86_64, other RPM versions available on request), with several systems joined to the domain (F35, F36, and CentOS 7). I recently performed a dnf upgrade on one of the F36 systems, which pulled in sssd 2.7.1 (was previously on 2.7.0). After the upgrade, I became unable to log into any IPA account. Relevant error messages below: Jun 08 11:34:27 Bellerophon.int.lldp.net krb5_child[14823]: Unknown code UUz 100 Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=mheon Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: pam_sss(gdm-password:auth): received for user mheon: 4 (System error) Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: gkr-pam: unlocked login keyring All other systems on the domain remained able to log in. No error messages are visible in the IPA server's journal. Downgrading to sssd-2.7.0-1.fc36.x86_64 resolves the issue and restores the ability to log in. I do not have another IPA server to test with at the moment, but I did confirm that unenrolling and reenrolling the host in question (in hopes of replacing any faulty configuration files written) did not resolve the problem. Notably, this occurs only for login attempts via password (from TTY or graphical session). Logging in using SSH with key authentication works. Once logged in via SSH, I am able to communicate with at least the IPA server's Kerberos server (e.g. `kinit mheon` works). Version-Release number of selected component (if applicable): sssd-2.7.1-1.fc36.x86_64 How reproducible: 100% Steps to Reproduce: 1. Upgrade to sssd 2.7.1 2. Log out 3. Log into an IPA-managed account Actual results: Login fails Expected results: Login succeeds Additional info: I don't know if this is sssd itself or a subpackage (sssd-ipa seems likely?) - apologies if this should have been filed elsewhere. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2094948

1 2

[Bug 2094648] New: [Regression] Can't log in to FreeIPA account following sssd update
by bugzilla＠redhat.com 08 Jun '22

08 Jun '22

https://bugzilla.redhat.com/show_bug.cgi?id=2094648 Bug ID: 2094648 Summary: [Regression] Can't log in to FreeIPA account following sssd update Product: Fedora Version: 36 Status: NEW Component: sssd Severity: urgent Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: james(a)ettle.org.uk QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: Updating to sssd 2.7.1-1.fc36 from sssd-2.7.0-1 breaks login to my FreeIPA accounts. Version-Release number of selected component (if applicable): sssd and friends 2.7.1-1.fc36 How reproducible: Always. Steps to Reproduce: 1. Update to sssd 2.7.1-1.fc36 2. Reboot. Actual results: Permission denied for FreeIPA realm account. Expected results: Legitimate login works. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2094648

1 1

2025

2024

2023

2022

2021

2020

Sssd-maintainers June 2022