Bug 1375552

Summary: krb5_map_user doesn't seem effective anymore
Product: [Fedora] Fedora Reporter: Juraci Paixão Kröhling <jcosta>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: abokovoy, jhrozek, lslebodn, mzidek, ncross, pbrezina, preichl, rharwood, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.1-3.fc24 sssd-1.14.1-3.fc23 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-30 15:51:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd realm log none

Description Juraci Paixão Kröhling 2016-09-13 12:01:22 UTC 
Created attachment 1200475 [details]
sssd realm log

Description of problem:
Since a few days, it seems that the setting `krb5_map_user` on `/etc/sssd/sssd.conf` is not taking effect. I have this property set to `jpkroehling:jcosta`, so that my local user `jpkroehling` is translated to `jcosta` on a given Kerberos realm. It used to work, but now, I see the following on the logs:

Sep 13 13:37:56 carambola [sssd[krb5_child[15539]]][15539]: Client 'jpkroehling' not found in Kerberos database


Version-Release number of selected component (if applicable):
1.14.1 , release 2.fc24

How reproducible:
Always

Steps to Reproduce:
I basically followed the instructions on [1] to get an automatic kinit whenever I login.

[1] https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling-kinit-with-sssds-help/

Actual results:
There's no valid Kerberos ticket, as it tries to get one for the user `jpkroehling`.

Expected results:
A Kerberos ticket would have been obtained for `jcosta`.

Additional info:
From IRC:

<lslebodn> jpkroehling: Could you file a fedora BZ + provide log files with debug_level=9
<lslebodn> I assume that bug is caused by sysdb refactoring wich was done in 1.14

A possible workaround is to downgrade sssd:
dnf downgrade sssd-krb5 sssd sssd-krb5-common python3-sssdconfig sssd-ad sssd-krb5-common sssd-ipa sssd-ldap sssd-proxy sssd-common-pac libipa_hbac sssd-common libsss_autofs libsss_idmap libsss_sudo sssd-client
Comment 1 Juraci Paixão Kröhling 2016-09-13 12:09:44 UTC 
As a workaround, downgrading sssd seems effective:

# systemctl stop sssd
# rm -f /var/lib/sss/db/* 
# dnf downgrade sssd-krb5 sssd sssd-krb5-common python3-sssdconfig sssd-ad sssd-krb5-common sssd-ipa sssd-ldap sssd-proxy sssd-common-pac libipa_hbac sssd-common libsss_autofs libsss_idmap libsss_sudo sssd-client sssd-tools sssd-dbus python3-sss libsss_simpleifp
# systemctl start sssd
Comment 2 Jakub Hrozek 2016-09-14 07:34:52 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3188
Comment 3 Lukas Slebodnik 2016-09-22 20:15:41 UTC 
master:
* b34ffbf33729c557c3d1aebf4707ad0ffe4f1904
Comment 4 Fedora Update System 2016-09-24 00:53:23 UTC 
sssd-1.14.1-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-33f0007fb9
Comment 5 Fedora Update System 2016-09-24 00:53:29 UTC 
sssd-1.14.1-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-3107ac53e5
Comment 6 Fedora Update System 2016-09-24 01:51:13 UTC 
sssd-1.14.1-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1306e3da3c
Comment 7 Fedora Update System 2016-09-27 00:32:27 UTC 
sssd-1.14.1-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-09-30 15:51:53 UTC 
sssd-1.14.1-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-10-09 09:23:16 UTC 
sssd-1.14.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.