Bug 1741306
Summary: | sssd-kcm: type confusion on KDC offset | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Robbie Harwood <rharwood> |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | --- | CC: | apeetham, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, sbose, sgoveas, sssd-maint, tscherf |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | sssd-2.2.3-2.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 16:56:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robbie Harwood
2019-08-14 17:57:28 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4063 Master: - c580c76a2affc377850303cc81a1519075d174f2 This bug was fixed as part of the rebase we did in RHEL 8.2.0. It would be good to fully ack it and include in the erratum. Please add steps to test (In reply to Steeve Goveas from comment #4) > Please add steps to test Hi, please see the description of https://bugzilla.redhat.com/show_bug.cgi?id=1757299#c0. - make sure sssd-kcm is installed so that KCM is used as default ccache type - log in with password to e.g. an IPA client to get a Kerberos ticket and make sure with klist it is stored with KCM - try to ssh to the same host, it should work with the Kerberos ticket without asking for a password HTH bye, Sumit # versions: sssd-client-2.2.3-18.el8.x86_64 sssd-ipa-2.2.3-18.el8.x86_64 sssd-kcm-2.2.3-18.el8.x86_64 sssd-dbus-2.2.3-18.el8.x86_64 sssd-2.2.3-18.el8.x86_64 sssd-nfs-idmap-2.2.3-16.el8.x86_64 python3-sssdconfig-2.2.3-18.el8.noarch sssd-common-pac-2.2.3-18.el8.x86_64 sssd-ldap-2.2.3-18.el8.x86_64 sssd-tools-2.2.3-18.el8.x86_64 sssd-common-2.2.3-18.el8.x86_64 sssd-ad-2.2.3-18.el8.x86_64 sssd-krb5-common-2.2.3-18.el8.x86_64 sssd-proxy-2.2.3-18.el8.x86_64 sssd-winbind-idmap-2.2.3-18.el8.x86_64 sssd-krb5-2.2.3-18.el8.x86_64 Verification from AD ===================== 1. Join the system to Windows [root@client1 ~]# realm join -U Administrator -v SARABHAI.TEST * Resolving: _ldap._tcp.sarabhai.test * Performing LDAP DSE lookup on: 192.168.122.216 * Successfully discovered: SARABHAI.TEST Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain SARABHAI.TEST --domain-realm SARABHAI.TEST --domain-controller 192.168.122.216 --login-type user --login-user Administrator --stdin-password * Using domain name: SARABHAI.TEST * Calculated computer account name from fqdn: CLIENT1 * Using domain realm: SARABHAI.TEST * Sending netlogon pings to domain controller: cldap://192.168.122.216 * Received NetLogon info from: vikram.SARABHAI.TEST * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-hpZ9rS/krb5.d/adcli-krb5-conf-MtVCMd * Authenticated as user: Administrator * Using GSS-SPNEGO for SASL bind * Looked up short domain name: SARABHAI * Looked up domain SID: S-1-5-21-1672089527-2408710569-2399489135 * Using fully qualified name: client1.testrealm.test * Using domain name: SARABHAI.TEST * Using computer account name: CLIENT1 * Using domain realm: SARABHAI.TEST * Calculated computer account name from fqdn: CLIENT1 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for CLIENT1$ at: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST * Sending netlogon pings to domain controller: cldap://192.168.122.216 * Received NetLogon info from: vikram.SARABHAI.TEST * Set computer password * Retrieved kvno '6' for computer account in directory: CN=CLIENT1,CN=Computers,DC=SARABHAI,DC=TEST * Checking RestrictedKrbHost/client1.testrealm.test * Added RestrictedKrbHost/client1.testrealm.test * Checking RestrictedKrbHost/CLIENT1 * Added RestrictedKrbHost/CLIENT1 * Checking host/client1.testrealm.test * Added host/client1.testrealm.test * Checking host/CLIENT1 * Added host/CLIENT1 * Discovered which keytab salt to use * Added the entries to the keytab: CLIENT1$@SARABHAI.TEST: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/CLIENT1: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/client1.testrealm.test: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/CLIENT1: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/client1.testrealm.test: FILE:/etc/krb5.keytab * /usr/bin/systemctl enable sssd.service Created symlink /etc/systemd/system/multi-user.target.wants/sssd.service → /usr/lib/systemd/system/sssd.service. * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service * Successfully enrolled machine in realm [root@client1 ~]# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 CLIENT1$@SARABHAI.TEST 6 CLIENT1$@SARABHAI.TEST 6 host/CLIENT1 6 host/CLIENT1 6 host/client1.testrealm.test 6 host/client1.testrealm.test 6 RestrictedKrbHost/CLIENT1 6 RestrictedKrbHost/CLIENT1 6 RestrictedKrbHost/client1.testrealm.test 6 RestrictedKrbHost/client1.testrealm.test [root@client1 ~]# kinit niranjan Password for niranjan: [root@client1 ~]# klist Ticket cache: KCM:0 Default principal: niranjan Valid starting Expires Service principal 03/04/2020 13:09:28 03/04/2020 23:09:28 krbtgt/SARABHAI.TEST renew until 03/05/2020 13:09:26 [root@client1 ~]# ssh niranjan.test FIPS mode initialized Last login: Wed Mar 4 12:56:32 2020 from 192.168.122.238 [niranjan@client1 ~]$ Verification from IPA ====================== [root@server1 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@server1 ~]# [root@server1 ~]# kinit lheslin Password for lheslin: [root@server1 ~]# klist Ticket cache: KCM:0 Default principal: lheslin Valid starting Expires Service principal 03/04/2020 13:10:52 03/05/2020 13:10:50 krbtgt/TESTREALM.TEST [root@server1 ~]# ssh lheslin.test Last login: Wed Mar 4 12:14:13 2020 from 192.168.122.5 Could not chdir to home directory /home/lheslin: No such file or directory [lheslin@server1 /]$ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863 |