https://bugzilla.redhat.com/show_bug.cgi?id=2095176

Bug ID: 2095176 Summary: sssd 2.7.1 cannot do Kerberos authentication [regression] Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: ossman@cendio.se QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, luk.claes@gmail.com, mzidek@redhat.com, pbrezina@redhat.com, sbose@redhat.com, ssorce@redhat.com, sssd-maintainers@lists.fedoraproject.org Target Milestone: --- Classification: Fedora

Description of problem:

There is unfortunately something seriously broken in Kerberos part in sssd 2.7.1.

We get the following in the auth log:

jun 09 08:43:48 samuel krb5_child[259734]: Unknown code UUz 100 jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=samuel jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): received for user samuel: 4 (System error)

In sssd's log:

(2022-06-09 8:43:48): [be[cendio.se]] [krb5_auth_done] (0x3f7c0): [RID#331] The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information

And in the krb5 child log:

(2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac] (0x0040): [RID#333] No PAC authdata available. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:

• (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] krb5_child started.
• (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x1000): [RID#333] total buffer size: [109]
• (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333] cmd [241 (auth)] uid [4036] gid [21031] validate [true] enterprise principal [false] offline [false] UPN [samuel@CENDIO.SE]
• (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
• (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333] Switch user to [4036][21031].
• (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333] Switch user to [0][0].
• (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_check_old_ccache] (0x4000): [RID#333] Ccache_file is [KCM:] and is active and TGT is valid.
• (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_setup_fast] (0x0100): [RID#333] Fast principal is set to [host/samuel.lkpg.cendio.se@CENDIO.SE]
• (2022-06-09 8:43:57): [krb5_child[259752]] [find_principal_in_keytab] (0x4000): [RID#333] Trying to find principal host/samuel.lkpg.cendio.se@CENDIO.SE in keytab.
• (2022-06-09 8:43:57): [krb5_child[259752]] [match_principal] (0x1000): [RID#333] Principal matched to the sample (host/samuel.lkpg.cendio.se@CENDIO.SE).
• (2022-06-09 8:43:57): [krb5_child[259752]] [check_fast_ccache] (0x0200): [RID#333] FAST TGT is still valid.
• (2022-06-09 8:43:57): [krb5_child[259752]] [become_user] (0x0200): [RID#333] Trying to become user [4036][21031].
• (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x2000): [RID#333] Running as [4036][21031].
• (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100): [RID#333] No specific renewable lifetime requested.
• (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100): [RID#333] No specific lifetime requested.
• (2022-06-09 8:43:57): [krb5_child[259752]] [set_canonicalize_option] (0x0100): [RID#333] Canonicalization is set to [true]
• (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform auth
• (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform online auth
• (2022-06-09 8:43:57): [krb5_child[259752]] [tgt_req_child] (0x1000): [RID#333] Attempting to get a TGT
• (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0400): [RID#333] Attempting kinit for realm [CENDIO.SE]
• (2022-06-09 8:43:57): [krb5_child[259752]] [sss_krb5_responder] (0x4000): [RID#333] Got question [password].
• (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x2000): [RID#333] Found keytab entry with the realm of the credential.
• (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0400): [RID#333] TGT verified using key for [host/samuel.lkpg.cendio.se@CENDIO.SE].
• (2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac] (0x0040): [RID#333] No PAC authdata available.

********************** BACKTRACE DUMP ENDS HERE *********************************

(2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC check failed for principal [samuel@CENDIO.SE]. (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:

• (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC check failed for principal [samuel@CENDIO.SE].
• (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333] 2045: [1432158308][Unknown code UUz 100]

********************** BACKTRACE DUMP ENDS HERE *********************************

(2022-06-09 8:43:57): [krb5_child[259752]] [map_krb5_error] (0x0020): [RID#333] [1432158308][PAC check failed].

Version-Release number of selected component (if applicable):

sssd-2.7.1-1.fc36.x86_64

How reproducible:

100%

Steps to Reproduce: 1. Upgrade sssd 2. Try to log in

Actual results:

Login fails

Expected results:

Login succeeds

Additional info:

Also reported to debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012502

Which also references this upstream PR:

https://github.com/SSSD/sssd/pull/6204