Bug 1762881

Summary: sssd-kcm breaks Kerberos authentication with remote services
Product: [Fedora] Fedora Reporter: James <james>
Component: sssdAssignee: Michal Zidek <mzidek>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: abokovoy, jhrozek, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-17 20:17:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James 2019-10-17 18:02:55 UTC 
Description of problem:
With sssd-kcm installed, I can log in and according to klist the TGT is there. However I can't use it to connect to services including ssh on other machines and the FreeIPA web interface. These things work if I remove sssd-kcm and go back to the kernel keyring.

Version-Release number of selected component (if applicable):
sssd-2.2.2-1.fc31.x86_64
freeipa-client-4.8.1-3.fc31.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Configure F31 workstation using ipa-client-install (standard config, worked OK in Fedora 30).
2. Reboot, log in using realm credentials and get TGT.
3. Attempt to connect to Kerberised remote service.

Actual results:
Kerberos credentials not used. Password prompt appears.

Expected results:
Access granted through single sign-on.

Additional info:
Will provide logs upon request. Nothing incriminating seen in journalctl -u sssd-kcm.
Comment 1 Sumit Bose 2019-10-17 18:20:30 UTC 
Hi,

this sounds a bit like https://bugzilla.redhat.com/show_bug.cgi?id=1757224. Can you give the test build from comment #55 at https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 a try? To download the packages in a single run you can use:

    curl https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 | grep -o '"https://.*\.rpm"' | xargs -n 1 curl -O

HTH

bye,
Sumit
Comment 2 Simo Sorce 2019-10-17 18:26:02 UTC 
James,
what client are you using?

Also see Sumit's reply if you are using standard built Fedora clients like curl, or openssh.
Comment 3 James 2019-10-17 18:30:48 UTC 
Using sssd-kcm from 38214051 broke Kerberos login altogether. Login functionality restored with that build by removing sssd-kcm and restarting sssd.

The clients concerned are

openssh-8.1p1-1.fc31.x86_64
firefox-69.0.3-1.fc31.x86_64

connecting to a FreeIPA service and sshds running on Fedora 30 boxes.
Comment 4 Lukas Slebodnik 2019-10-17 19:09:39 UTC 
(In reply to James Ettle from comment #3)
> Using sssd-kcm from 38214051 broke Kerberos login altogether. Login
> functionality restored with that build by removing sssd-kcm and restarting
> sssd.
> 
> The clients concerned are
> 
> openssh-8.1p1-1.fc31.x86_64
> firefox-69.0.3-1.fc31.x86_64
> 
> connecting to a FreeIPA service and sshds running on Fedora 30 boxes.

It works for me with 
sh$ rpm -q openssh-clients sssd-kcm
openssh-clients-8.0p1-8.fc31.1.x86_64
sssd-kcm-2.2.2-1.fc32.x86_64

We need more information or detailed reproducer?
sh$ export KRB5_TRACE=/tmp/openssh_krb5_trace
sh$ ssh -vvv user

And manually run kinit to avoid issues with BZ1757224.
An please provide output of ssh and content of /tmp/openssh_krb5_trace
Comment 5 Lukas Slebodnik 2019-10-17 19:12:34 UTC 
I upgraded into openssh-clients-8.1p1-1 and it still works for me.
Comment 6 James 2019-10-17 19:22:06 UTC 
OK, apologies -- looks like I was too hasty. This time I reinstalled the packages from 38214051 and completely rebooted rather than just restarting sssd. This time login works, and now Kerberised services are working.

Thanks for the help -- I think this can probably be closed as a dup of 1757224
Comment 7 Simo Sorce 2019-10-17 20:17:22 UTC 

*** This bug has been marked as a duplicate of bug 1757224 ***