https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Bug ID: 2094685 Summary: Default of 'pac_check' is too strict Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: sbose@redhat.com QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, luk.claes@gmail.com, mzidek@redhat.com, pbrezina@redhat.com, sbose@redhat.com, ssorce@redhat.com, sssd-maintainers@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Description of problem: Default of 'pac_check' is too strict, it currently requires that a PAC is present when using ipa or ad provider. While it would work with the AD provider in most cases for ipa there is a fair chance that the PAC will not be available.
If authentication fails and there are messages like "[validate_tgt] ... PAC check failed for principal ..." you are most probably affected by this issue. As a work-around set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |james@ettle.org.uk
--- Comment #1 from Sumit Bose sbose@redhat.com --- *** Bug 2094648 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
--- Comment #2 from Sumit Bose sbose@redhat.com --- Upstream pull-request with a fix https://github.com/SSSD/sssd/pull/6204.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dennis@ausil.us
--- Comment #3 from Sumit Bose sbose@redhat.com --- *** Bug 2095086 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |plarsen@redhat.com
--- Comment #4 from Sumit Bose sbose@redhat.com --- *** Bug 2095102 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mheon@redhat.com
--- Comment #5 from Sumit Bose sbose@redhat.com --- *** Bug 2094948 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ossman@cendio.se
--- Comment #6 from Sumit Bose sbose@redhat.com --- *** Bug 2095176 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Alexey Tikhonov atikhono@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |POST
--- Comment #7 from Alexey Tikhonov atikhono@redhat.com --- Pushed PR: https://github.com/SSSD/sssd/pull/6204
* `master` * 55e93cf1cf4d61c6de7975cbdc97a723545586c0 - pac: relax default for pac_check option * `sssd-2-7` * 26d8601e9b4e35ff89ca9fa72b9db05199096b56 - pac: relax default for pac_check option
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|POST |MODIFIED
--- Comment #8 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-1f115ce8d2 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f115ce8d2
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
--- Comment #9 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-6d9be7e4c4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-6d9be7e4c4
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
--- Comment #10 from James james@ettle.org.uk --- I'd like to commend the rapid response here.
Has upstream added a regression test to ensure this doesn't happen again?
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Iker Pedrosa ipedrosa@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |seanmottles@posteo.net
--- Comment #11 from Iker Pedrosa ipedrosa@redhat.com --- *** Bug 2095228 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #12 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-6d9be7e4c4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-6d9be7e4c4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-6d9be7e4c4
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
--- Comment #13 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-1f115ce8d2 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-1f115ce8d2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f115ce8d2
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Sumit Bose sbose@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |boroske@ida.ing.tu-bs.de
--- Comment #14 from Sumit Bose sbose@redhat.com --- *** Bug 2095356 has been marked as a duplicate of this bug. ***
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |sssd-2.7.1-2.fc36 Resolution|--- |ERRATA Status|ON_QA |CLOSED Last Closed| |2022-06-11 01:58:03
--- Comment #15 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-6d9be7e4c4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|sssd-2.7.1-2.fc36 |sssd-2.7.1-2.fc36 | |sssd-2.7.1-2.fc35
--- Comment #16 from Fedora Update System updates@fedoraproject.org --- FEDORA-2022-1f115ce8d2 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
sssd-maintainers@lists.fedoraproject.org
-
bugzilla@redhat.com