Bug 1441077

Summary: sssd does not evaluate AD UPN suffixes which results in failed user logins
Product: Red Hat Enterprise Linux 7 Reporter: Thorsten Scherf <tscherf>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Sudhir Menon <sumenon>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: grajaiya, jhrozek, kludhwan, ksiddiqu, lslebodn, markus.larsson, mkosek, mzidek, nsoman, pbrezina, ronald.wimmer, sbose, sgoveas, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.15.1-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1445821 (view as bug list) Environment:
Last Closed: 2017-08-01 09:04:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1445821    

Description Thorsten Scherf 2017-04-11 07:55:29 UTC 
Description of problem:

In an IPA AD cross-forest trust setup, users are failing to login on clients using an AD Enterprise Principal. Using the same Principal with kinit works without any problems. 

Version-Release number of selected component (if applicable):
sssd-1.14.0-43.el7_3.11.x86_64
ipa-server-4.4.0-14.el7_3.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 17 Jakub Hrozek 2017-04-26 18:04:44 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3384
Comment 24 Sudhir Menon 2017-05-15 11:21:44 UTC 
Tested using 

ipa-server-4.5.0-11.el7.x86_64
389-ds-base-1.3.6.1-13.el7.x86_64
pki-ca-10.4.1-4.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
sssd-1.15.2-29.el7.x86_64

Observations:
1. The trusted ad user with UPN set is unable to login to client, which seems to be related to an existing bz1450425

[root@master ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust type: Active Directory domain
  UPN suffixes: test.qa, pune.in
----------------------------
Number of entries returned 1
----------------------------
  
[root@client ~]# ldapsearch -Y GSSAPI -H ldap://master.testrelm.test -b 'dc=testrelm,dc=test' 'objectclass=ipaNTTrustedDomain' ipaNTAdditionalSuffixes
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=testrelm,dc=test> with scope subtree
# filter: objectclass=ipaNTTrustedDomain
# requesting: ipaNTAdditionalSuffixes
#
 
# pne.qe, ad, trusts, testrelm.test
dn: cn=pne.qe,cn=ad,cn=trusts,dc=testrelm,dc=test
ipaNTAdditionalSuffixes: test.qa
ipaNTAdditionalSuffixes: pune.in
 
# search result
search: 4
result: 0 Success
 
# numResponses: 2
# numEntries: 1
 
[root@master ~]# ssh -l aduser2 client.testrelm.test
Password:
packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe
Comment 28 Sudhir Menon 2017-05-16 13:06:33 UTC 
Tested on RHEL7.4 using

ipa-server-4.5.0-9.el7.x86_64
sssd-1.15.2-24.el7.x86_64
selinux-policy-3.13.1-145.el7.noarch
krb5-server-1.15.1-8.el7.x86_64
pki-ca-10.4.1-3.el7.noarch
authconfig-6.2.8-23.el7.x86_64


[root@master~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: pne.qe
  Domain NetBIOS name: PNE
  Domain Security Identifier: S-1-5-21-2202318585-426110948-4011710778
  Trust type: Active Directory domain
  UPN suffixes: test.qa, pune.in
----------------------------
Number of entries returned 1

[root@master ~]# id aduser2
uid=1261601539(aduser2) gid=1261601539(aduser2) groups=1261601539(aduser2),1261601559(adgroup1),1261600513(domain users)

[root@master~]# ssh -l aduser2 client.testrelm.test
Password: 
Could not chdir to home directory /home/pne.qe/aduser2: No such file or directory
-sh-4.2$ whoami 
aduser2
-sh-4.2$ id
uid=1261601539(aduser2) gid=1261601539(aduser2) groups=1261601539(aduser2),1261600513(domain users),1261601559(adgroup1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@client pam.d]# kinit -E aduser2
Password for aduser2\@pune.in: 
[root@client pam.d]# klist -l
Principal name                 Cache name
--------------                 ----------
aduser2                 KEYRING:persistent:0:0
Comment 29 errata-xmlrpc 2017-08-01 09:04:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294