New subject: [Bug 2095102] SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log

Wednesday, 8 June 2022

https://bugzilla.redhat.com/show_bug.cgi?id=2095102

            Bug ID: 2095102
           Summary: SSSD 2.7.1  causes IPA/krb5 authentication to fail
                    with messages such as the following in
                    /var/log/sssd/sssd_DOMAIN.log
           Product: Fedora
           Version: 36
            Status: NEW
         Component: sssd
          Assignee: sssd-maintainers(a)lists.fedoraproject.org
          Reporter: plarsen(a)redhat.com
        QA Contact: extras-qa(a)fedoraproject.org
                CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
                    jhrozek(a)redhat.com, lslebodn(a)redhat.com,
                    luk.claes(a)gmail.com, mzidek(a)redhat.com,
                    pbrezina(a)redhat.com, sbose(a)redhat.com,
                    ssorce(a)redhat.com,
                    sssd-maintainers(a)lists.fedoraproject.org
  Target Milestone: ---
    Classification: Fedora

Description of problem:
This issue is replicated in this BZ: 
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1857082...

After updating to sssd to 2.7.1-1 logins using GDM to an IPA user fails. 

Error in krb5_child.log:
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_responder] (0x4000):
[RID#22] Got question [password].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_expire_callback_func]
(0x2000): [RID#22] exp_time: [10364636]
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x2000):
[RID#22] Found keytab entry with the realm of the credential.
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0400):
[RID#22] TGT verified using key for
[host/boss.peterlarsen.org(a)PETERLARSEN.ORG].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_extract_pac] (0x0040):
[RID#22] No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE
*********************************

(2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC
check failed for principal [peter(a)PETERLARSEN.ORG].
(2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22]
2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020):
[RID#22] PAC check failed for principal [peter(a)PETERLARSEN.ORG].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020):
[RID#22] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE
*********************************

Version-Release number of selected component (if applicable):
2.7.1-1

How reproducible:
Constant

Steps to Reproduce:
1. Update from 2.7.0-1 to 2.7.1-1
2.
3.

Actual results:
Login via GDM not possible

Expected results:
Login working

Additional info:
Downgrading to 2.7.0-1 allowed GDM to work again. 
Note, applying https://access.redhat.com/solutions/2210951 did not resolve the
issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095102

2024

2023

2022

2021

2020

[Bug 2095102] New: SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log