Bug 1757299

Summary: 2.2.2 regression: SSH GSS authentication fails with "Ticket expired"
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: sssdAssignee: Michal Zidek <mzidek>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: abokovoy, gwync, jhrozek, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-01 13:38:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Pitt 2019-10-01 06:50:07 UTC
Description of problem: A recent upgrade in Fedora 31 (noticed in [1]) broke IPA/kerberos authentication of ssh.

It complains about "Ticket expired" even though it's clearly not.

[1] https://github.com/cockpit-project/bots/pull/57


Version-Release number of selected component (if applicable):

sssd-krb5-2.2.2-1.fc31.x86_64
freeipa-client-4.8.1-1.fc31.x86_64
openssh-8.0p1-8.fc31.1.x86_64
krb5-libs-1.17-45.fc31.x86_64

How reproducible: Always


Steps to Reproduce:
1. Join machine to a FreeIPA server
2. Log in as FreeIPA user. This should get you a ticket:

$ klist
Ticket cache: KCM:420800000
Default principal: admin@COCKPIT.LAN

Valid starting       Expires              Service principal
01.10.2019 02:38:20  02.10.2019 02:38:20  krbtgt/COCKPIT.LAN@COCKPIT.LAN

3. Try to ssh into some machine of the domain. In my case, I'm just using the same machine with its public FreeIPA DNS name:

$ ssh -vv x0.cockpit.lan

Actual results:

ssh login through GSSAPI fails:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Ticket expired


debug1: Unspecified GSS failure.  Minor code may provide more information
Ticket expired


debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey

Note that the ticket is not expired, see klist output (it's valid until tomorrow).



Expected results: ssh login succeeds through kerberos:

debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to x0.cockpit.lan (via proxy).
debug1: channel 0: new [client-session]


Additional info:

Comment 1 Simo Sorce 2019-10-01 13:36:58 UTC
Why did you file this against sssd?
Sounds like krb5 or ssh related.

Comment 2 Simo Sorce 2019-10-01 13:38:00 UTC
Sounds like a duplicate of a ticket filed earlier, dupclosing

*** This bug has been marked as a duplicate of bug 1757224 ***

Comment 3 Sumit Bose 2019-10-01 16:51:38 UTC
(In reply to Simo Sorce from comment #1)
> Why did you file this against sssd?
> Sounds like krb5 or ssh related.

Or maybe KCM? It might be good to check if there is the same issue with KEYRING.

bye,
Sumit