Bug 1431858
Summary: | Wrong principal found with ad provider and long host name | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lukas Slebodnik <lslebodn> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, pjagrut, sgoveas, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.15.2-15.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:04:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Slebodnik
2017-03-13 21:24:46 UTC
Workaround is to set ldap_sasl_authid to right UPN BTW. It was not a problem on rhel7.2 because adcli created principal "HOST/" instead of "host/" and therefore sssd did not match it and fallback to pattern "*$" (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to SSSDAD.COM (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Will look for ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in default keytab (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM found in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal *$@SSSDAD.COM in keytab. (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000): Principal matched to the sample (*$@SSSDAD.COM). (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected primary: IBM-X3500M4-01I$ (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to IBM-X3500M4-01I$ (Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSDAD.COM sh# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM 3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM 3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM 3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM 3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM 3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I 3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I 3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I 3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I 3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I 3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I 3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I 3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I 3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I 3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I 3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com 3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com Upstream ticket: https://pagure.io/SSSD/sssd/issue/3329 master: * c6f1bc32774a7cf2f8678499dfbced420be3a3a1 sssd-1-14: * fee7386e3af5e55eb3c66d8cf3533075b977a734 sssd-1-13: * 56ca9ad3d7ec7da2e82b51ffc55f6d1367d14f34 verified with: r7-permanent ~]# rpm -q sssd sssd-1.15.2-33.el7.x86_64 ~]# cat /etc/sssd/sssd.conf [sssd] domains = sssd16.qe config_file_version = 2 services = nss, pam [domain/sssd16.qe] ad_domain = sssd16.qe krb5_realm = SSSD16.QE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash #ldap_sasl_authid = SHR-R7-PERMANEN$ ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad debug_level = 9 -r7-permanent ~]# id fu1 uid=616401111(fu1) gid=616400513(domain users) groups=616400513(domain users),616401112(fg1),616401113(fg2) from domain logs: (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Will look for shr-r7-permanent.sssd16.qe in default keytab (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal shr-r7-permanent.sssd16.qe in keytab. (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x0400): No principal matching shr-r7-permanent.sssd16.qe found in keytab. (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal SHR-R7-PERMANEN$@SSSD16.QE in keytab. (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [match_principal] (0x1000): Principal matched to the sample (SHR-R7-PERMANEN$@SSSD16.QE). (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected primary: SHR-R7-PERMANEN$ (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSD16.QE (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SHR-R7-PERMANEN$ (Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSD16.QE ~]# klist -kt Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE 4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE 4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE 4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE 4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE 4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN 4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN 4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN 4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe 4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |