Bug 1656426

Summary: Unable to bind to LDAP when minssf is set in server
Product: Red Hat Enterprise Linux 8 Reporter: Amith <apeetham>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED NOTABUG QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-05 18:28:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SSSD Domain log. none

Description Amith 2018-12-05 13:50:28 UTC 
Created attachment 1511679 [details]
SSSD Domain log.

Description of problem:
Krb-provider test failed due to bug 803842. This bug was automated long back. I am re-opening this for rhel8. SSSD fails to bind with ldap server, when minssf is set.

Log file shows, Search result: Server is unwilling to perform(53), Minimum SSF not met

Refer https://bugzilla.redhat.com/show_bug.cgi?id=803842 for more details.

Version-Release number of selected component (if applicable):
sssd-2.0.0-23.el8.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Setup a test environment with 389-ds ldap server and krb server.

2. Configure sssd.conf in client as given below:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = ipaqavmd.idmqe.lab.eng.bos.redhat.com
krb5_realm = EXAMPLE.COM
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com

3. Update minssf value in ldap server.

# ldapmodify -xv -h ipaqavmd.idmqe.lab.eng.bos.redhat.com -D "cn=Manager,dc=example,dc=com" -w Secret123 -f minssf.ldif
ldap_initialize( ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com )
replace nsslapd-minssf:
	56
modifying entry "cn=config"
modify complete

4. Ensure /etc/krb5.keytab file in client is updated with valid data.

# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com

5. Clear the cache and restart SSSD service.

6. Run user lookup.
# id puser1
id: ‘puser1’: no such user

Actual results:
User lookup fails. 

Expected results:
User lookup should work.

Additional info:
Domain log file attached.
Comment 1 Sumit Bose 2018-12-05 14:01:48 UTC 
Does

    kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
    ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount

return user objects?
Comment 2 Amith 2018-12-05 14:28:50 UTC 
(In reply to Sumit Bose from comment #1)
> Does
> 
>     kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
>     ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b
> 'dc=example,dc=com' objectclass=posixAccount
> 
> return user objects?

Initially kinit returned "Clock skew too great" error. 

# kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com 
kinit: Clock skew too great in KDC reply while getting initial credentials

# ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))


I think the issue is clock skew. I fixed it in both server and client.. now everything works fine.
----------------------------------------------------------

# kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com

# ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount
SASL/GSSAPI authentication started
SASL username: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: objectclass=posixAccount
# requesting: ALL
#

# host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com, People, example.com
dn: uid=host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com,ou=People,dc=exam
 ple,dc=com
uidNumber: 9003
gidNumber: 9003
objectClass: top
objectClass: posixAccount
cn: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
uid: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
homeDirectory: /export/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
loginShell: /bin/bash
.
.
.


# 
# id puser1
uid=1001(puser1) gid=1001(Group1) groups=1001(Group1)

I will fix the test code and verify it again. If everything works fine then i will close this bug.
Thanks Sumit.
Comment 3 Amith 2018-12-05 18:23:07 UTC 
Fixed the test code and got a successful run. The cause of failure was clock skew. See beaker job: https://beaker.engineering.redhat.com/jobs/3207422