Bug 1051016

Summary: FAST does not work in SSSD 1.11.2 in Fedora 20
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-24.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:20:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2014-01-09 14:50:01 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2186

I have configured FreeIPA with two-factor authentication and set up SSSD to try FAST. SSSD runs on IPA master itself:
{{{
krb5_use_fast = try
krb5_fast_principal = host/master.ipa.test
}}}

When trying to login through SSH to the master.ipa.test, I've entered OTP key and in SSSD logs I can see that SSSD krb5 child did negotiate FAST, obtained the ticket for the user and finally stored it in the keyring ccache. However, SSSD's domain child did receive a response back that it didn't understand, therefore, full logon failed.
Comment 1 Jakub Hrozek 2014-01-09 15:53:28 UTC 
This bug is not intended to be tested, just sanity only.
Comment 3 Kaushik Banerjee 2014-01-22 17:38:40 UTC 
Verified SanityOnly with version 1.11.2-29 as all the krb5_fast_principal tests pass with this build.

Output of beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_001 valid principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com)' 
krb5-fast-principal-001-valid-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_002 invalid principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid found in keytab' 
krb5-fast-principal-002-invalid-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_003 principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal in keytab' 
krb5-fast-principal-003-principal-TEST-COM result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_004 null principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' 
krb5-fast-principal-004-null-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_005 valid principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com)' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com\]' 
krb5-fast-principal-005-valid-principal-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_006 invalid principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid found in keytab' 
krb5-fast-principal-006-invalid-principal-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_007 principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal in keytab' 
krb5-fast-principal-007-principal-TEST-COM-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_008 null principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com\]'
Comment 4 Ludek Smid 2014-06-13 11:20:00 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.