https://bugzilla.redhat.com/show_bug.cgi?id=2095176
Bug ID: 2095176
Summary: sssd 2.7.1 cannot do Kerberos authentication
[regression]
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: ossman(a)cendio.se
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
There is unfortunately something seriously broken in Kerberos part in sssd
2.7.1.
We get the following in the auth log:
jun 09 08:43:48 samuel krb5_child[259734]: Unknown code UUz 100
jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): authentication
failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=samuel
jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): received for
user samuel: 4 (System error)
In sssd's log:
(2022-06-09 8:43:48): [be[cendio.se]] [krb5_auth_done] (0x3f7c0):
[RID#331] The krb5_child process returned an error. Please inspect the krb5_child.log file
or the journal for more information
And in the krb5 child log:
(2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac]
(0x0040): [RID#333] No PAC authdata available.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] krb5_child
started.
* (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x1000): [RID#333]
total buffer size: [109]
* (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333] cmd
[241 (auth)] uid [4036] gid [21031] validate [true] enterprise principal [false] offline
[false] UPN [samuel(a)CENDIO.SE]
* (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333]
ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333]
Switch user to [4036][21031].
* (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333]
Switch user to [0][0].
* (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_check_old_ccache] (0x4000):
[RID#333] Ccache_file is [KCM:] and is active and TGT is valid.
* (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_setup_fast] (0x0100): [RID#333]
Fast principal is set to [host/samuel.lkpg.cendio.se(a)CENDIO.SE]
* (2022-06-09 8:43:57): [krb5_child[259752]] [find_principal_in_keytab] (0x4000):
[RID#333] Trying to find principal host/samuel.lkpg.cendio.se(a)CENDIO.SE in keytab.
* (2022-06-09 8:43:57): [krb5_child[259752]] [match_principal] (0x1000): [RID#333]
Principal matched to the sample (host/samuel.lkpg.cendio.se(a)CENDIO.SE).
* (2022-06-09 8:43:57): [krb5_child[259752]] [check_fast_ccache] (0x0200): [RID#333]
FAST TGT is still valid.
* (2022-06-09 8:43:57): [krb5_child[259752]] [become_user] (0x0200): [RID#333]
Trying to become user [4036][21031].
* (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x2000): [RID#333] Running as
[4036][21031].
* (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100):
[RID#333] No specific renewable lifetime requested.
* (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100):
[RID#333] No specific lifetime requested.
* (2022-06-09 8:43:57): [krb5_child[259752]] [set_canonicalize_option] (0x0100):
[RID#333] Canonicalization is set to [true]
* (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform
auth
* (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform
online auth
* (2022-06-09 8:43:57): [krb5_child[259752]] [tgt_req_child] (0x1000): [RID#333]
Attempting to get a TGT
* (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0400): [RID#333]
Attempting kinit for realm [CENDIO.SE]
* (2022-06-09 8:43:57): [krb5_child[259752]] [sss_krb5_responder] (0x4000):
[RID#333] Got question [password].
* (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x2000): [RID#333]
Found keytab entry with the realm of the credential.
* (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0400): [RID#333] TGT
verified using key for [host/samuel.lkpg.cendio.se(a)CENDIO.SE].
* (2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac] (0x0040): [RID#333]
No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC check
failed for principal [samuel(a)CENDIO.SE].
(2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333] 2045:
[1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC
check failed for principal [samuel(a)CENDIO.SE].
* (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333]
2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-09 8:43:57): [krb5_child[259752]] [map_krb5_error] (0x0020): [RID#333]
[1432158308][PAC check failed].
Version-Release number of selected component (if applicable):
sssd-2.7.1-1.fc36.x86_64
How reproducible:
100%
Steps to Reproduce:
1. Upgrade sssd
2. Try to log in
Actual results:
Login fails
Expected results:
Login succeeds
Additional info:
Also reported to debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012502
Which also references this upstream PR:
https://github.com/SSSD/sssd/pull/6204
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095176