Bug 1344940
Summary: | GSSAPI error causes failures for child domain user logins across IPA - AD trust | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Amy Farley <afarley> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.2 | CC: | abokovoy, afarley, grajaiya, ipa-maint, jhrozek, jstephen, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, pvoborni, rcritten, sbose, sgoveas, sumenon |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.14.0-12.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 07:18:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 4
Petr Vobornik
2016-06-13 15:11:01 UTC
From the customer: Internal management needs a status on trust issue. We need to come up with assessment and action plan asap. Do we have any workarounds that they can do? Authentication is not working for them. Upstream ticket: https://fedorahosted.org/sssd/ticket/3103 How to test: Currently if IPA trusts an AD forest with multiple names the [capaths] section in /var/lib/sss/pubconf/krb5.include.d/domain_realm_IPA_DEVEL looks like: [capaths] AD.DEVEL = { IPA.DEVEL = AD.DEVEL } IPA.DEVEL = { AD.DEVEL = AD.DEVEL } CHILD.AD.DEVEL = { IPA.DEVEL = AD.DEVEL } IPA.DEVEL = { CHILD.AD.DEVEL = AD.DEVEL } IPA.DEVEL = { CHILD.AD.DEVEL = AD.DEVEL } which is wrong, there should be only one sub-section for each domain: [capaths] AD.DEVEL = { IPA.DEVEL = AD.DEVEL } CHILD.AD.DEVEL = { IPA.DEVEL = AD.DEVEL } IPA.DEVEL = { AD.DEVEL = AD.DEVEL CHILD.AD.DEVEL = AD.DEVEL } master: * 66588a6241df42a04cb9ead75cf3afb38495d74a * 2efebde7ddd5f1729a70ef4ec9de607cc393214c * 5e40ba3168e21dbd5fa1812d6f2fc95f508a9e6e Verified on RHEL7.3 using sssd-1.14.0-18.el7.x86_64 ipa-server-4.4.0-7.el7.x86_64 ipa-server-trust-ad-4.4.0-7.el7.x86_64 [root@ipaserver db]# ipa trustdomain-find Realm name: pne.qe Domain name: chd.pne.qe Domain NetBIOS name: CHD Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349 Domain enabled: True Domain name: chd2.pne.qe Domain NetBIOS name: CHD2 Domain Security Identifier: S-1-5-21-1720992857-1892626802-862641562 Domain enabled: True Domain name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524 Domain enabled: True ---------------------------- Number of entries returned 3 ---------------------------- #cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_redlabs_qe [domain_realm] .pne.qe = PNE.QE pne.qe = PNE.QE .chd.pne.qe = CHD.PNE.QE chd.pne.qe = CHD.PNE.QE .chd2.pne.qe = CHD2.PNE.QE chd2.pne.qe = CHD2.PNE.QE [capaths] PNE.QE = { REDLABS.QE = PNE.QE } CHD.PNE.QE = { REDLABS.QE = PNE.QE } CHD2.PNE.QE = { REDLABS.QE = PNE.QE } REDLABS.QE = { PNE.QE = PNE.QE CHD.PNE.QE = PNE.QE CHD2.PNE.QE = PNE.QE } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |