Bug 1182183

Summary: pam_sss(sshd:auth): authentication failure with user from AD
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: dpal, ebenes, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mupadhye, mzidek, nkarandi, pbrezina, pkis, preichl, sbose
Target Milestone: rcKeywords: Regression, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-43.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:35:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Spurek 2015-01-14 14:52:03 UTC 
Description of problem:
pam_sss(sshd:auth): authentication failure with user from AD.

sssd configuration was generated by realmd

getent passwd works fine:
getent passwd Amy.qe'
amy.qe:*:381001103:381000513:Amy:/home/ad.baseos.qe/amy:/bin/bash


ssh Amy.qe@localhost
Amy.qe@localhost's password: 
Permission denied, please try again.

part of log from /var/log/secure
Jan 14 09:39:06 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=Amy.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy.qe
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_sss(sshd:auth): received for user Amy.qe: 4 (System error)
Jan 14 09:39:12 ibm-p8-kvm-lt-guest-10 sshd[621]: pam_ldap(sshd:auth): error opening connection to nslcd: No such file or directory
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Failed password for Amy.qe from ::1 port 33535 ssh2
Jan 14 09:39:14 ibm-p8-kvm-lt-guest-10 sshd[621]: Connection closed by ::1 [preauth]

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IBM-P8-KVM-LT-G$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

Version-Release number of selected component (if applicable):
sssd-1.12.2-32

How reproducible:
always

Steps to Reproduce:
1.realm join -v --user=Amy-admin --user-principal=host/Test27402.QE ad.baseos.qe
2.ssh Amy.qe@localhost
3.

Actual results:
pam_sss(sshd:auth): authentication failure

Expected results:
pam_sss(sshd:auth): authentication success

Additional info:
This is a regression, the same test case worked with sssd-1.12.2-28

part of log from /var/log/secure
Jan 14 09:08:11 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=Amy.qe
Jan 14 09:08:13 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Amy.qe
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sssd[be[ad.baseos.qe]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: Failed password for Amy.qe from ::1 port 33400 ssh2
Jan 14 09:08:14 ibm-p8-kvm-lt-guest-10 sshd[27251]: fatal: Access denied for user Amy.qe by PAM account configuration [preauth]
Comment 4 Jakub Hrozek 2015-01-14 15:28:00 UTC 
Can you prepare a test machine that reproduces the bug or attach log files with a high debug_level?
Comment 7 Jakub Hrozek 2015-01-14 17:25:49 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2557
Comment 13 Jakub Hrozek 2015-01-19 10:29:53 UTC 
Fixed upstream:
    master: 576ad637181b80d39a4e136c9afbf34c57f76156
    sssd-1-12: 24df1487413d13248dcc70d2548a763930da4c65
Comment 15 Nirupama Karandikar 2015-01-27 12:32:00 UTC 
Tested with sssd-1.12.2-47.el7.x86_64

1. Install sssd-1.12.2-39.el7.x86_64 on test VM.

2. Configure sssd to authenticate to AD. From /etc/sssd/sssd.conf

[domain/sssdad2012.com]
ad_domain = sssdad2012.com
krb5_realm = SSSDAD2012.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

3. With ktutil add invalid principle in the keytab file.

# klist -ekt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-crc) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (des-cbc-md5) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182.sssdad2012.com (arcfour-hmac) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-crc) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (des-cbc-md5) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 host/dhcp207-182 (arcfour-hmac) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-crc) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (des-cbc-md5) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes128-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (aes256-cts-hmac-sha1-96) 
   2 01/27/2015 17:21:36 DHCP207-182$@SSSDAD2012.COM (arcfour-hmac) 
   3 01/27/2015 17:51:44 host/Test13775 (aes256-cts-hmac-sha1-96) 


The "host/Test13775" is principle not known to AD.

4. User auth fails. 

[root@dhcp207-182 ~]# ssh -l kau1  localhost
kau1@localhost's password: 
Permission denied, please try again.
kau1@localhost's password: 
Permission denied, please try again.
kau1@localhost's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

From /var/log/secure

Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1
Jan 27 17:53:20 dhcp207-182 sshd[24774]: pam_sss(sshd:auth): received for user kau1: 4 (System error)
Jan 27 17:53:22 dhcp207-182 sshd[24774]: Failed password for kau1 from ::1 port 51693 ssh2
Jan 27 17:53:22 dhcp207-182 sshd[24774]: Connection closed by ::1 [preauth]

5. Update to sssd-1.12.2-47.el7.x86_64.rpm.

Try auth with AD user. Login 

[root@dhcp207-182 ~]# ssh -l kau1  localhost
kau1@localhost's password: 
Last failed login: Tue Jan 27 17:58:56 IST 2015 from localhost on ssh:notty
Last login: Tue Jan 27 17:53:56 2015 from localhost
Could not chdir to home directory /home/kau1: No such file or directory
-sh-4.2$ 

From /var/log/secure

Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=kau1
Jan 27 18:02:02 dhcp207-182 sssd[be[sssdad2012.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.
Jan 27 18:02:02 dhcp207-182 sshd[25048]: Accepted password for kau1 from ::1 port 51748 ssh2
Jan 27 18:02:02 dhcp207-182 sshd[25048]: pam_unix(sshd:session): session opened for user kau1 by (uid=0)
Comment 18 errata-xmlrpc 2015-03-05 10:35:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html