Bug 1441077
Summary: | sssd does not evaluate AD UPN suffixes which results in failed user logins | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Sudhir Menon <sumenon> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 7.3 | CC: | grajaiya, jhrozek, kludhwan, ksiddiqu, lslebodn, markus.larsson, mkosek, mzidek, nsoman, pbrezina, ronald.wimmer, sbose, sgoveas, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.15.1-1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1445821 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 09:04:18 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1445821 |
Description
Thorsten Scherf
2017-04-11 07:55:29 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3384 Tested using ipa-server-4.5.0-11.el7.x86_64 389-ds-base-1.3.6.1-13.el7.x86_64 pki-ca-10.4.1-4.el7.noarch krb5-server-1.15.1-8.el7.x86_64 sssd-1.15.2-29.el7.x86_64 Observations: 1. The trusted ad user with UPN set is unable to login to client, which seems to be related to an existing bz1450425 [root@master ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 Trust type: Active Directory domain UPN suffixes: test.qa, pune.in ---------------------------- Number of entries returned 1 ---------------------------- [root@client ~]# ldapsearch -Y GSSAPI -H ldap://master.testrelm.test -b 'dc=testrelm,dc=test' 'objectclass=ipaNTTrustedDomain' ipaNTAdditionalSuffixes SASL/GSSAPI authentication started SASL username: admin SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=testrelm,dc=test> with scope subtree # filter: objectclass=ipaNTTrustedDomain # requesting: ipaNTAdditionalSuffixes # # pne.qe, ad, trusts, testrelm.test dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test ipaNTAdditionalSuffixes: test.qa ipaNTAdditionalSuffixes: pune.in # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 [root@master ~]# ssh -l aduser2 client.testrelm.test Password: packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe Tested on RHEL7.4 using ipa-server-4.5.0-9.el7.x86_64 sssd-1.15.2-24.el7.x86_64 selinux-policy-3.13.1-145.el7.noarch krb5-server-1.15.1-8.el7.x86_64 pki-ca-10.4.1-3.el7.noarch authconfig-6.2.8-23.el7.x86_64 [root@master~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: pne.qe Domain NetBIOS name: PNE Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778 Trust type: Active Directory domain UPN suffixes: test.qa, pune.in ---------------------------- Number of entries returned 1 [root@master ~]# id aduser2 uid=1261601539(aduser2) gid=1261601539(aduser2) groups=1261601539(aduser2),1261601559(adgroup1),1261600513(domain users) [root@master~]# ssh -l aduser2 client.testrelm.test Password: Could not chdir to home directory /home/pne.qe/aduser2: No such file or directory -sh-4.2$ whoami aduser2 -sh-4.2$ id uid=1261601539(aduser2) gid=1261601539(aduser2) groups=1261601539(aduser2),1261600513(domain users),1261601559(adgroup1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@client pam.d]# kinit -E aduser2 Password for aduser2\@pune.in: [root@client pam.d]# klist -l Principal name Cache name -------------- ---------- aduser2 KEYRING:persistent:0:0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294 |