Bug 1949170
Summary: | pam_sss_gss.so doesn't work with large kerberos tickets [rhel-8.4.0.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
Component: | sssd | Assignee: | Alexey Tikhonov <atikhono> |
Status: | CLOSED ERRATA | QA Contact: | shridhar <sgadekar> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.4 | CC: | dlavu, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sgadekar, thalman, tscherf |
Target Milestone: | beta | Keywords: | Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-2.4.0-9.el8_4.1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1948657 | Environment: | |
Last Closed: | 2021-06-29 16:29:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1948657 | ||
Bug Blocks: |
Comment 1
Alexey Tikhonov
2021-04-13 15:33:45 UTC
[sudo_user1@client /]$ rpm -qa|egrep sssd sssd-tools-2.4.0-9.el8_4.1.x86_64 sssd-ipa-2.4.0-9.el8_4.1.x86_64 sssd-client-2.4.0-9.el8_4.1.x86_64 sssd-kcm-2.4.0-9.el8_4.1.x86_64 sssd-dbus-2.4.0-9.el8_4.1.x86_64 python3-sssdconfig-2.4.0-9.el8_4.1.noarch sssd-krb5-common-2.4.0-9.el8_4.1.x86_64 sssd-common-pac-2.4.0-9.el8_4.1.x86_64 sssd-nfs-idmap-2.4.0-9.el8_4.1.x86_64 sssd-common-2.4.0-9.el8_4.1.x86_64 [root@client ~]# cat /etc/sssd/sssd.conf [domain/testrealm.test] id_provider = ipa ipa_server = _srv_, master.testrealm.test ipa_domain = testrealm.test ipa_hostname = client.testrealm.test auth_provider = ipa chpass_provider = ipa access_provider = ipa cache_credentials = True ldap_tls_cacert = /etc/ipa/ca.crt krb5_store_password_if_offline = True debug_level = 9 pam_gssapi_services = sudo, sudo-i [sssd] services = nss, pam, ssh, sudo domains = testrealm.test [nss] homedir_substring = /home [pam] #pam_gssapi_check_upn = False debug_level = 9 [sudo] debug_level = 9 [autofs] [ssh] [pac] [ifp] [secrets] [session_recording] [domain/domaingr51.com] debug_level = 9 [root@client ~]# ssh -l sudo_user1 localhost Password: Activate the web console with: systemctl enable --now cockpit.socket This system is not registered to Red Hat Insights. See https://cloud.redhat.com/ To register this system, run: insights-client --register Last login: Fri Jun 4 13:05:12 2021 from ::1 Could not chdir to home directory /home/domaingr51.com/sudo_user1: No such file or directory [sudo_user1@client /]$ klist Ticket cache: FILE:/tmp/krb5cc_141401167 Default principal: sudo_user1 Valid starting Expires Service principal 06/04/21 13:06:59 06/04/21 23:06:59 krbtgt/DOMAINGR51.COM renew until 06/05/21 13:06:58 [sudo_user1@client /]$ klist -l Principal name Cache name -------------- ---------- sudo_user1 FILE:/tmp/krb5cc_141401167 [sudo_user1@client /]$ ls -lh /tmp/krb5cc_141401167 -rw-------. 1 sudo_user1 sudo_user1 1.5K Jun 4 13:06 /tmp/krb5cc_141401167 [sudo_user1@client /]$ ls -lh /tmp/krb5cc_141401167 -rw-------. 1 sudo_user1 sudo_user1 1.5K Jun 4 13:06 /tmp/krb5cc_141401167 [sudo_user1@client /]$ sudo -l pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 141401167 pam_sss_gss: Trying to establish security context pam_sss_gss: SSSD User name: sudo_user1 pam_sss_gss: User domain: domaingr51.com pam_sss_gss: User principal: pam_sss_gss: Target name: host.test pam_sss_gss: Using ccache: default pam_sss_gss: Acquiring credentials, principal name will be derived pam_sss_gss: Switching euid from 141401167 to 0 pam_sss_gss: Authentication successful Matching Defaults entries for sudo_user1 on client: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User sudo_user1 may run the following commands on client: (ALL) ALL [sudo_user1@client /]$ kdestroy [sudo_user1@client /]$ sudo -k [sudo_user1@client /]$ sudo -l pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 141401167 pam_sss_gss: Trying to establish security context pam_sss_gss: SSSD User name: sudo_user1 pam_sss_gss: User domain: domaingr51.com pam_sss_gss: User principal: pam_sss_gss: Target name: host.test pam_sss_gss: Using ccache: default pam_sss_gss: Acquiring credentials, principal name will be derived pam_sss_gss: Unable to read credentials from [default] [maj:0xd0000, min:0x96c73a8d] pam_sss_gss: GSSAPI: Unspecified GSS failure. Minor code may provide more information pam_sss_gss: GSSAPI: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_141401167) pam_sss_gss: Switching euid from 141401167 to 0 pam_sss_gss: System error [5]: Input/output error [sudo] password for sudo_user1: [sudo_user1@client /]$ kini -bash: kini: command not found [sudo_user1@client /]$ kinit Password for sudo_user1: [sudo_user1@client /]$ sudo -l pam_sss_gss: Initializing GSSAPI authentication with SSSD pam_sss_gss: Switching euid from 0 to 141401167 pam_sss_gss: Trying to establish security context pam_sss_gss: SSSD User name: sudo_user1 pam_sss_gss: User domain: domaingr51.com pam_sss_gss: User principal: pam_sss_gss: Target name: host.test pam_sss_gss: Using ccache: default pam_sss_gss: Acquiring credentials, principal name will be derived pam_sss_gss: Switching euid from 141401167 to 0 pam_sss_gss: Authentication successful Matching Defaults entries for sudo_user1 on client: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User sudo_user1 may run the following commands on client: (ALL) ALL Marking verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2571 |