[Bug 2095356] New: Password auth against FreeIPA server no longer works after update to Fedora 36
https://bugzilla.redhat.com/show_bug.cgi?id=2095356
Bug ID: 2095356 Summary: Password auth against FreeIPA server no longer works after update to Fedora 36 Product: Fedora Version: 36 Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: boroske@ida.ing.tu-bs.de QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, luk.claes@gmail.com, mzidek@redhat.com, pbrezina@redhat.com, sbose@redhat.com, ssorce@redhat.com, sssd-maintainers@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Created attachment 1888388 --> https://bugzilla.redhat.com/attachment.cgi?id=1888388&action=edit krb5_child.log of attempt to login using password auth
I recently upgraded a fedora 35 system to fedora 36.
After the upgrade, using any type of password auth against the freeipa server no longer works (ssh, su, sudo), only local user logins or ssh public key login.
The problem seems to have to do with the new sssd package.
I can see an error message in dmesg:
[ 743.242553] sssd_be[848]: segfault at 18 ip 00007f9bd8b5559c sp 00007ffd21604bc0 error 4 in libc.so.6[7f9bd8aeb000+173000]
I also enabled debug logging in sssd.conf and got error messages in
/var/log/sssd/krb5_child.log
excerpt (see attachment for full log of login attempt): [...]
(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0400): [RID#18] TGT verified using key for [host/zeus.net.ida@NET.IDA]. (2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856019: Retrieving thomasb@NET.IDA -> host/zeus.net.ida@NET.IDA from MEMORY:rd_req2 with result: 0/Success
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_extract_pac] (0x0040): [RID#18] No PAC authdata available. (2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0020): [RID#18] PAC check failed for principal [thomasb@NET.IDA]. (2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856020: Destroying ccache MEMORY:rd_req2
(2022-06-09 14:51:22): [krb5_child[1808]] [get_and_save_tgt] (0x0020): [RID#18] 2045: [1432158308][Unknown code UUz 100] (2022-06-09 14:51:22): [krb5_child[1808]] [map_krb5_error] (0x0020): [RID#18] [1432158308][PAC check failed]. (2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x0200): [RID#18] Received error code 1432158308 (2022-06-09 14:51:22): [krb5_child[1808]] [pack_response_packet] (0x2000): [RID#18] response packet size: [20] (2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x4000): [RID#18] Response sent. (2022-06-09 14:51:22): [krb5_child[1808]] [main] (0x0400): [RID#18] krb5_child completed successfully
I had to rollback the system to before the update for now but am willing to attempt again if additional data is needed.
https://bugzilla.redhat.com/show_bug.cgi?id=2095356
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Doc Type|--- |If docs needed, set a value Resolution|--- |DUPLICATE Status|NEW |CLOSED Last Closed| |2022-06-09 16:21:28
--- Comment #1 from Sumit Bose sbose@redhat.com --- As a work-around set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf.
*** This bug has been marked as a duplicate of bug 2094685 ***
sssd-maintainers@lists.fedoraproject.org
-
bugzilla@redhat.com