Bug 1871288
Summary: | krb5_child denies ssh users when pki device detected [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Karl Grindley <g63it> |
Component: | sssd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.8 | CC: | atikhono, grajaiya, jhrozek, jreznik, lslebodn, mzidek, pbrezina, sbose, sgoveas, spoore, thalman, tscherf |
Target Milestone: | rc | Keywords: | ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira qetodo | ||
Fixed In Version: | sssd-1.16.5-10.el7_9.6 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-12-15 11:22:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karl Grindley
2020-08-21 23:45:18 UTC
Hi, please check https://github.com/SSSD/sssd/issues/5290 for a discussion of the issue. bye, Sumit Upstream PR: https://github.com/SSSD/sssd/pull/5294 Pushed PR: https://github.com/SSSD/sssd/pull/5294 * `master` * bca413267f58395e22415edc662a7ba89fbe7b30 - krb5: only try pkinit with Smartcard credentials * `sssd-1-16` * 277cd1fa71222f3bdf4d8b39d0bce7d07d0df07b - krb5: only try pkinit with Smartcard credentials Hi Karl, Having customer case backing up this request, might increase chances of fulfillment (i.e. actual inclusion of the patch into RHEL7). Case 02745114 opened as a premium/severity 2(high) since it's impacting user experience/workflow/denial of service. https://access.redhat.com/support/cases/#/case/02745114 We're working around using our custom packages which include other fixes as well, but we can't be the only ones with this problem. (In reply to Karl Grindley from comment #8) > Case 02745114 opened Thank you. Do you have `pkinit_identities` set in `/etc/krb5.conf`? If "yes", could you please check if removing this setting helps to work around the issues? Verified. Version :: sssd-1.16.5-10.el7_9.6 Results :: First reproducing issue: [root@rhel7-4 ~]# rpm -q sssd sssd-1.16.5-10.el7.x86_64 [root@rhel7-4 ~]# grep pkinit_identities /etc/krb5.conf pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so [root@rhel7-4 ~]# grep ldap_opt_timeout /etc/sssd/sssd.conf ldap_opt_timeout = 60 [root@rhel7-4 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-4 ~]# su - ipauser1 -c 'su - ipauser1 -c whoami' PIN for sctest (MyEID) ipauser1 [root@rhel7-4 ~]# ssh ipauser2@localhost Password: Password: Password: ^^^ failing to login with pkinit_identities set ^^^ Now with updated sssd: [root@rhel7-4 ~]# yum update sssd -y ... [root@rhel7-4 ~]# rpm -q sssd sssd-1.16.5-10.el7_9.6.x86_64 [root@rhel7-4 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-4 ~]# su - ipauser1 -c 'su - ipauser1 -c whoami' PIN for sctest (MyEID) ipauser1 [root@rhel7-4 ~]# ssh ipauser2@localhost Password: Last failed login: Mon Nov 30 12:12:36 CST 2020 from localhost on ssh:notty There were 2 failed login attempts since the last successful login. Last login: Mon Nov 30 08:24:07 2020 from localhost -sh-4.2$ whoami ipauser2 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:5459 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |