Bug 1670457

Summary: Inconsistent retrieval of kerberos TGT
Product: Red Hat Enterprise Linux 8 Reporter: adam winberg <adam.winberg>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DUPLICATE QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: atikhono, grajaiya, jhrozek, lslebodn, mzidek, pasik, pbrezina, tscherf
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-22 12:11:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description adam winberg 2019-01-29 15:05:20 UTC 
Description of problem:
I use gssapi to login to my RHEL8 box via SSH. The login itself works fine, but most of the time I'm not getting a kerberos TGT on my RHEL8 box after logon. Sometimes it works, but I havent been able to pinpoint why. 

So, most of the times I don't get a TGT. But if I do a 'sudo -i' to root and then logout (back to my own user), then most of the times I've magically gotten a TGT. 

How is this supposed to work? I thought my client side key would be delegated to the host, and if not I thought SSSD would ensure i get a TGT. 

I have the following in my ssh_config:

Host *
# Kerberos 
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Verbose output from ssh logon:
...
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
...



Version-Release number of selected component (if applicable):
sssd-2.0.0-21.el8.x86_64

How reproducible:
7 ssh logons out of 10 results in a missing TGT

Steps to Reproduce:
1. kinit on client
2. ssh to rhel8 box 
3.

Actual results:
Missing TGT on RHEL8 box most of the times

Expected results:
I should always have a TGT

Additional info:
Comment 1 adam winberg 2019-01-29 15:27:17 UTC 
There is something with sssd-kcm thats causing this. If I remove /etc/krb5.conf.d/kcm_default_ccache, thereby disabling sssd-kcm as I understand it, everything works as expected. 

I will attach a debug log from sssd-kcm, maybe I'm just doing things wrong.
Comment 2 adam winberg 2019-01-29 15:39:27 UTC 
Ok, seems to be a known issue?
https://bugzilla.redhat.com/show_bug.cgi?id=1607082

I'll hold off on the debug log since the issue seems to be known, but if you want it I can attach it.
Comment 3 Jakub Hrozek 2019-01-29 19:28:39 UTC 
Yes, this will be fixed in the next build. Would you like to test it out?
Comment 4 adam winberg 2019-01-30 06:32:09 UTC 
Yes, I would like to test it.
Comment 5 Jakub Hrozek 2019-02-26 14:29:04 UTC 
I'm sorry about the delay, I completely forgot about this bug.

Here are the builds:
https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-8.0-test/
Comment 6 Alexey Tikhonov 2019-11-22 10:55:07 UTC 
Hi Adam,

IIUC, this should be fixed in sssd-2.2.0-19.el8

Could you please confirm or does problem still persist?
Comment 7 adam winberg 2019-11-22 11:08:25 UTC 
I believe this was supposed to be fixed in 2.0.0-43 already?

I don't have any RHEL8 boxes with earlier sssd version than that and I can't reproduce the error anymore, so it seems to be solved.
Comment 8 Alexey Tikhonov 2019-11-22 12:11:44 UTC 
(In reply to adam winberg from comment #7)
> I believe this was supposed to be fixed in 2.0.0-43 already?

It was fixed in 2.1 upstream (#3873). And You are right, it was backported to 2.0.0-43


> I don't have any RHEL8 boxes with earlier sssd version than that and I can't
> reproduce the error anymore, so it seems to be solved.

Thanks for confirmation.

*** This bug has been marked as a duplicate of bug 1607082 ***