Bug 1469509

Summary: "authconfig --enablekrb5 --updateall" does nothing
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Schweikle <tschweikle>
Component: authconfigAssignee: Pavel Březina <pbrezina>
Status: CLOSED INSUFFICIENT_DATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: mkosek, pkis, tschweikle
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 11:32:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Schweikle 2017-07-11 12:11:07 UTC 
Description of problem:
After installing "krb5-workstation", then configuring "/etc/krb5.conf", next executing "authconfig --enablekrb5 --updateall" does not configure kerberos pam modules.

Version-Release number of selected component (if applicable):
krb5-libs-1.14.1-27.el7_3.x86_64
krb5-workstation-1.14.1-27.el7_3.x86_64
pam_krb5-2.4.8-6.el7.x86_64
sssd-krb5-1.14.0-43.el7_3.18.x86_64
sssd-krb5-common-1.14.0-43.el7_3.18.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 7.3
2. Configure sssd, kerberos, ldap
3. kerberos/pam fails, because kerberos not configured

Actual results:
"authconfig --enablekrb5 --updateall" does not configure pam_krb5.so modules

Expected results:
"authconfig --enablekrb5 --updateall" configures pam_krb5.so modules.

Additional info:
Authentication using kerberos fails to create krb_tgt for login -> login fails if user is only remote. LDAP fails to get users and groups from AD-Server. getent passwd only lists local users.

kinit <user> -> works.
ldapsearch -> works, if krb_tgt available.

login does not create a krb-ticket-cache.

sssd does not aquire a krb_tgt for the machine -> query ldap fails on AD: "Dissallowed".
Comment 2 Pavel Březina 2017-07-12 08:58:22 UTC 
Hi, can you please attach /etc/krb5.conf, /etc/sssd/sssd.conf and /etc/pam.d/system-auth please?
Comment 4 Pavel Březina 2017-09-27 13:42:01 UTC 
We do not plan to release 7.5 errata for capacity reasons. Proposing to 7.6.
Comment 5 Pavel Březina 2017-09-27 13:42:52 UTC 
Thomas, can you provide required information please?
Comment 6 Pavel Březina 2018-02-21 11:32:26 UTC 
I'm closing this bug due to lack of data. Feel free to reopen it.
Comment 7 Thomas Schweikle 2019-12-23 16:56:27 UTC 
Problem: you shall never configure ldapauth together with sssd. Take one or the other. Never both. They'll both try to get a tgt from kerberos, invalidating the ticket the other got ...