Bug 1344940

Summary: GSSAPI error causes failures for child domain user logins across IPA - AD trust
Product: Red Hat Enterprise Linux 7 Reporter: Amy Farley <afarley>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: abokovoy, afarley, grajaiya, ipa-maint, jhrozek, jstephen, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, pvoborni, rcritten, sbose, sgoveas, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.14.0-12.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 07:18:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 4 Petr Vobornik 2016-06-13 15:11:01 UTC 
Adding Alexander and Jakub,..
Comment 15 Amy Farley 2016-07-06 16:21:00 UTC 
From the customer:

Internal management needs a status on trust issue. We need to come up with assessment and action plan asap.

Do we have any workarounds that they can do? Authentication is not working for them.
Comment 24 Sumit Bose 2016-07-20 09:55:12 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3103
Comment 27 Sumit Bose 2016-07-21 14:16:19 UTC 
How to test:

Currently if IPA trusts an AD forest with multiple names the [capaths] section in /var/lib/sss/pubconf/krb5.include.d/domain_realm_IPA_DEVEL looks like:

[capaths]
AD.DEVEL = {
  IPA.DEVEL = AD.DEVEL
}
IPA.DEVEL = {
  AD.DEVEL = AD.DEVEL
}
CHILD.AD.DEVEL = {
  IPA.DEVEL = AD.DEVEL
}
IPA.DEVEL = {
  CHILD.AD.DEVEL = AD.DEVEL
}
IPA.DEVEL = {
  CHILD.AD.DEVEL = AD.DEVEL
}

which is wrong, there should be only one sub-section for each domain:

[capaths]
AD.DEVEL = {
  IPA.DEVEL = AD.DEVEL
}
CHILD.AD.DEVEL = {
  IPA.DEVEL = AD.DEVEL
}
IPA.DEVEL = {
  AD.DEVEL = AD.DEVEL
  CHILD.AD.DEVEL = AD.DEVEL
}
Comment 28 Lukas Slebodnik 2016-07-25 12:17:02 UTC 
master: 
* 66588a6241df42a04cb9ead75cf3afb38495d74a 
* 2efebde7ddd5f1729a70ef4ec9de607cc393214c 
* 5e40ba3168e21dbd5fa1812d6f2fc95f508a9e6e
Comment 33 Sudhir Menon 2016-08-17 13:23:11 UTC 
Verified on RHEL7.3 using 

sssd-1.14.0-18.el7.x86_64
ipa-server-4.4.0-7.el7.x86_64
ipa-server-trust-ad-4.4.0-7.el7.x86_64

[root@ipaserver db]# ipa trustdomain-find
Realm name: pne.qe
  Domain name: chd.pne.qe
  Domain NetBIOS name: CHD
  Domain Security Identifier: S-1-5-21-725505228-2944741108-2454985349
  Domain enabled: True

  Domain name: chd2.pne.qe
  Domain NetBIOS name: CHD2
  Domain Security Identifier: S-1-5-21-1720992857-1892626802-862641562
  Domain enabled: True

  Domain name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-3912719521-1967590360-1136226524
  Domain enabled: True
----------------------------
Number of entries returned 3
----------------------------

#cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_redlabs_qe 

[domain_realm]
.pne.qe = PNE.QE
pne.qe = PNE.QE
.chd.pne.qe = CHD.PNE.QE
chd.pne.qe = CHD.PNE.QE
.chd2.pne.qe = CHD2.PNE.QE
chd2.pne.qe = CHD2.PNE.QE

[capaths]
PNE.QE = {
  REDLABS.QE = PNE.QE
}
CHD.PNE.QE = {
  REDLABS.QE = PNE.QE
}
CHD2.PNE.QE = {
  REDLABS.QE = PNE.QE
}
REDLABS.QE = {
  PNE.QE = PNE.QE
  CHD.PNE.QE = PNE.QE
  CHD2.PNE.QE = PNE.QE
}
Comment 35 errata-xmlrpc 2016-11-04 07:18:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html