Bug 1097286

Summary: Expanding home directory fails when the request comes from the PAC responder
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: abokovoy, dpal, grajaiya, jgalipea, jhrozek, jkurik, lslebodn, mkosek, nsoman, pbrezina, preichl, sdenham, sgoveas
Target Milestone: rcKeywords: ZStream
Target Release: ---Flags: nsoman: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-68 Doc Type: Known Issue
Doc Text:
Cause: The code that handles saving user when handling requests on the IPA server failed when the request was a SID-to-name mapping. Consequence: As a result, users who were logging from Windows clients using GSSAPI had their membership set incorrectly as their groups could not be converted from SIDs. Workaround None Result N/A
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:27:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1098608    

Description Jakub Hrozek 2014-05-13 13:36:36 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2333

When a request for a user is a lookup by SID, typicaly when it comes from the PAC responder, we don't handle the request well and error out. This would be the symptoms:
{{{
[apply_subdomain_homedir] (0x0040): Unsupported filter type: [4]
}}}
Comment 1 Alexander Bokovoy 2014-05-13 13:39:53 UTC 
Note that this is severe bug for Windows Server 2012 interoperability. Without the fix in place, no single sign-on is possible with SSSD. This largerly kills the benefit of Kerberos cross-forest trusts.
Comment 2 Jakub Hrozek 2014-05-13 13:43:52 UTC 
(In reply to Alexander Bokovoy from comment #1)
> Note that this is severe bug for Windows Server 2012 interoperability.
> Without the fix in place, no single sign-on is possible with SSSD. This
> largerly kills the benefit of Kerberos cross-forest trusts.

Clarification -- the bug *only* hits the SSSD in server mode, not the clients. But I agree this is a bad one and would prevent the AD admins from logging in to the IDM servers.
Comment 3 Jakub Hrozek 2014-05-13 13:49:32 UTC 
To reproduce, login with GSSAPI on the IPA client:

ssh -k -l Administrator `hostname`
Comment 4 Namita Soman 2014-05-13 13:49:32 UTC 
Please add steps to reproduce/verify this issue
Comment 5 Namita Soman 2014-05-13 13:50:40 UTC 
refreshed page and saw you already added steps - thanks :)
Comment 6 Jakub Hrozek 2014-05-13 13:50:55 UTC 
(In reply to Jakub Hrozek from comment #3)
> To reproduce, login with GSSAPI on the IPA client:
> 
> ssh -k -l Administrator `hostname`

Err, I'm sorry, I meant to say login with GSSAPI on the IPA *SERVER*.
Comment 7 Namita Soman 2014-05-13 15:03:33 UTC 
when would response come from PAC responder, versus not from PAC responder?
 
Also please include info about pkg versions for server and client, and /etc/redhat-release to help reproduce.
Comment 8 Namita Soman 2014-05-13 15:09:40 UTC 
also - why is the user logging into the server? isn't a ad user typically logging into the client?
Comment 9 Jakub Hrozek 2014-05-13 15:12:33 UTC 
(In reply to Namita Soman from comment #7)
> when would response come from PAC responder, versus not from PAC responder?
>  

When logging with GSSAPI

> Also please include info about pkg versions for server and client, and
> /etc/redhat-release to help reproduce.

RHEL7 latest as of today.
Comment 10 Jakub Hrozek 2014-05-13 15:13:01 UTC 
(In reply to Namita Soman from comment #8)
> also - why is the user logging into the server? isn't a ad user typically
> logging into the client?

The AD admin might want to perform maintenance on the server.
Comment 13 Jakub Hrozek 2014-05-15 16:19:25 UTC 
Proposing for RHEL7 0day
Comment 19 Steeve Goveas 2014-11-24 10:51:49 UTC 
Verified in version

* Passwordless login on IPA Server

[root@gizmo ~]# rpm -q sssd
sssd-1.12.2-12.el7.x86_64

[root@gizmo ~]# grep ipa_server /etc/sssd/sssd.conf
ipa_server = _srv_, ibm-x3620m3-01.steeve2011.test

[root@gizmo ~]# kdestroy -A

[root@gizmo ~]# echo Secret123 | kinit Administrator
Password for Administrator: 

[root@gizmo ~]# ssh -K -l Administrator ibm-x3620m3-01.steeve2011.test
Creating home directory for Administrator.

-sh-4.2$ pwd
/home/adtest.qe/administrator

-sh-4.2$ id
uid=1148400500(administrator) gid=1148400500(administrator) groups=1148400500(administrator),1148400512(domain admins),1148400513(domain users),1148400518(schema admins),1148400519(enterprise admins),1148400520(group policy creator owners) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ logout
Connection to ibm-x3620m3-01.steeve2011.test closed.

* Passwordless login on IPA client

[root@gizmo ~]# ssh -K -l Administrator `hostname`
Creating home directory for Administrator.

-sh-4.2$ hostname
gizmo.steeve2011.test

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1148400500:1148400500
Default principal: Administrator

Valid starting       Expires              Service principal
11/24/2014 02:18:03  11/24/2014 12:07:31  krbtgt/ADTEST.QE
	renew until 11/25/2014 02:07:30
Comment 21 errata-xmlrpc 2015-03-05 10:27:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html