Bug 1656426
Summary: | Unable to bind to LDAP when minssf is set in server | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Amith <apeetham> | ||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
Status: | CLOSED NOTABUG | QA Contact: | sssd-qe <sssd-qe> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 8.0 | CC: | grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf | ||||
Target Milestone: | rc | ||||||
Target Release: | 8.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2018-12-05 18:28:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Amith
2018-12-05 13:50:28 UTC
Does kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount return user objects? (In reply to Sumit Bose from comment #1) > Does > > kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com > ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b > 'dc=example,dc=com' objectclass=posixAccount > > return user objects? Initially kinit returned "Clock skew too great" error. # kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com kinit: Clock skew too great in KDC reply while getting initial credentials # ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)) I think the issue is clock skew. I fixed it in both server and client.. now everything works fine. ---------------------------------------------------------- # kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com # ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount SASL/GSSAPI authentication started SASL username: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: objectclass=posixAccount # requesting: ALL # # host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com, People, example.com dn: uid=host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com,ou=People,dc=exam ple,dc=com uidNumber: 9003 gidNumber: 9003 objectClass: top objectClass: posixAccount cn: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com uid: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com homeDirectory: /export/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com loginShell: /bin/bash . . . # # id puser1 uid=1001(puser1) gid=1001(Group1) groups=1001(Group1) I will fix the test code and verify it again. If everything works fine then i will close this bug. Thanks Sumit. Fixed the test code and got a successful run. The cause of failure was clock skew. See beaker job: https://beaker.engineering.redhat.com/jobs/3207422 |