https://bugzilla.redhat.com/show_bug.cgi?id=2095102
Bug ID: 2095102
Summary: SSSD 2.7.1 causes IPA/krb5 authentication to fail
with messages such as the following in
/var/log/sssd/sssd_DOMAIN.log
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: plarsen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
This issue is replicated in this BZ:
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1857082...
After updating to sssd to 2.7.1-1 logins using GDM to an IPA user fails.
Error in krb5_child.log:
* (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_responder] (0x4000):
[RID#22] Got question [password].
* (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_expire_callback_func]
(0x2000): [RID#22] exp_time: [10364636]
* (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x2000):
[RID#22] Found keytab entry with the realm of the credential.
* (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0400):
[RID#22] TGT verified using key for
[host/boss.peterlarsen.org(a)PETERLARSEN.ORG].
* (2022-06-08 23:28:04): [krb5_child[4535]] [sss_extract_pac] (0x0040):
[RID#22] No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE
*********************************
(2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC
check failed for principal [peter(a)PETERLARSEN.ORG].
(2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22]
2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020):
[RID#22] PAC check failed for principal [peter(a)PETERLARSEN.ORG].
* (2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020):
[RID#22] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE
*********************************
Version-Release number of selected component (if applicable):
2.7.1-1
How reproducible:
Constant
Steps to Reproduce:
1. Update from 2.7.0-1 to 2.7.1-1
2.
3.
Actual results:
Login via GDM not possible
Expected results:
Login working
Additional info:
Downgrading to 2.7.0-1 allowed GDM to work again.
Note, applying
https://access.redhat.com/solutions/2210951 did not resolve the
issue.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095102