Bug 1431858

Summary: Wrong principal found with ad provider and long host name
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, pjagrut, sgoveas, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.2-15.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:04:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2017-03-13 21:24:46 UTC 
Description of problem:
sssd tries to find most suitable principal from keytab. We need to use UPN with AD provider and it should be maximally 15 upper case letters from hostname

e.g.
hostname =  kvm-02-guest20kvm-02-guest20.sssd.com
UPN = KVM-02-GUEST20K$@SSSDAD.COM

Version-Release number of selected component (if applicable):
sh$ rpm -q sssd
sssd-1.14.0-43.el7_3.11.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. set hostname longer then 15 characters
2. join sssd to ad domain
3. start sssd
4. try to resolve some users

Actual results:
Users are not resolved

Expected results:
Users are resolved.

Additional info:
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Will look for kvm-02-guest20kvm-02-guest20.sssdad.com in default keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal kvm-02-guest20kvm-02-guest20.sssdad.com in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching kvm-02-guest20kvm-02-guest20.sssdad.com found in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM found in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/kvm-02-guest20kvm-02-guest20.sssdad.com in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000): Principal matched to the sample (host/kvm-02-guest20kvm-02-guest20.sssdad.com).
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSDAD.COM

sh# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
Comment 2 Lukas Slebodnik 2017-03-13 21:27:59 UTC 
Workaround is to set ldap_sasl_authid to right UPN

BTW. It was not a problem on rhel7.2 because adcli created principal "HOST/" instead of "host/" and therefore sssd did not match it and fallback to pattern "*$" 

(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to SSSDAD.COM
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Will look for ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in default keytab
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal *$@SSSDAD.COM in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000): Principal matched to the sample (*$@SSSDAD.COM).
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected primary: IBM-X3500M4-01I$
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to IBM-X3500M4-01I$
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSDAD.COM


sh# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
Comment 3 Lukas Slebodnik 2017-03-14 09:30:45 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3329
Comment 4 Lukas Slebodnik 2017-04-12 21:21:04 UTC 
master:
* c6f1bc32774a7cf2f8678499dfbced420be3a3a1

sssd-1-14:
* fee7386e3af5e55eb3c66d8cf3533075b977a734

sssd-1-13:
* 56ca9ad3d7ec7da2e82b51ffc55f6d1367d14f34
Comment 6 shridhar 2017-05-26 10:11:48 UTC 
verified with:

r7-permanent ~]# rpm -q sssd
sssd-1.15.2-33.el7.x86_64

 ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = sssd16.qe
config_file_version = 2
services = nss, pam

[domain/sssd16.qe]
ad_domain = sssd16.qe
krb5_realm = SSSD16.QE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
#ldap_sasl_authid = SHR-R7-PERMANEN$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 9


-r7-permanent ~]# id fu1
uid=616401111(fu1) gid=616400513(domain users) groups=616400513(domain users),616401112(fg1),616401113(fg2)

from domain logs:

(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Will look for shr-r7-permanent.sssd16.qe in default keytab
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal shr-r7-permanent.sssd16.qe in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x0400): No principal matching shr-r7-permanent.sssd16.qe found in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal SHR-R7-PERMANEN$@SSSD16.QE in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [match_principal] (0x1000): Principal matched to the sample (SHR-R7-PERMANEN$@SSSD16.QE).
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected primary: SHR-R7-PERMANEN$
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSD16.QE
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SHR-R7-PERMANEN$
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSD16.QE


~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
Comment 7 errata-xmlrpc 2017-08-01 09:04:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294