Bug 2063224

Summary: Unable to lookup AD user if the request is not redirected to correct domain
Product: Red Hat Enterprise Linux 9 Reporter: Abhijit Roy <abroy>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DUPLICATE QA Contact: sssd-qe <sssd-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: atikhono, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-07 14:06:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhijit Roy 2022-03-11 14:33:50 UTC 
Description of problem:

Unable to lookup AD user if the request is not redirected to correct domain

Workaround: Use ad_enabled_domains

(2022-03-03 10:51:30): [be[example.com]] [get_server_status] (0x1000): Status of server 'RHEL.example.com' is 'name resolved'
...
(2022-03-03 10:51:30): [be[example.com]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type) <--
(2022-03-03 10:51:30): [be[example.com]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error] <--
(2022-03-03 10:51:30): [be[example.com]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)]
(2022-03-03 10:51:30): [be[example.com]] [child_sig_handler] (0x1000): Waiting for child [379042].
(2022-03-03 10:51:30): [be[example.com]] [child_sig_handler] (0x0100): child [379042] finished successfully.
(2022-03-03 10:51:30): [be[example.com]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed<--

As a result, sssd is segfaulting.

Mar  3 07:46:05 RHELbox dbus-daemon[1255]: [system] Successfully activated service 'org.freedesktop.sssd.infopipe'
Mar  3 07:46:05 RHELbox systemd[1]: Started SSSD IFP Service responder.
Mar  3 07:46:05 RHELbox sssd_be[227946]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)
Mar  3 07:46:05 RHELbox sssd_be[227946]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)
Mar  3 07:46:05 RHELbox kernel: sssd_be[227946]: segfault at 0 ip 00007f60a807fb7e sp 00007ffc937aa888 error 4 in libc-2.28.so[7f60a7f27000+1bc000]
Mar  3 07:46:05 RHELbox kernel: Code: c8 c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 89 f8 31 d2 c5 c5 ef ff 09 f0 25 ff 0f 00 00 3d 80 0f 00 00 0f 8f 52 03 00 00 <c5> fe 6f 0f c5 f5 74 06 c5 fd da c1 c5 fd 74 c7 c5 fd d7 c8 85 c9
Mar  3 07:46:05 RHELbox systemd[1]: Started Process Core Dump (PID 277472/UID 0).
Mar  3 07:46:05 RHELbox systemd-coredump[277473]: Resource limits disable core dumping for process 227946 (sssd_be).
Mar  3 07:46:05 RHELbox systemd-coredump[277473]: Process 227946 (sssd_be) of user 0 dumped core.
Mar  3 07:46:05 RHELbox systemd[1]: systemd-coredump: Succeeded.
Mar  3 07:46:05 RHELbox sssd_be[277476]: Starting up
Mar  3 07:46:05 RHELbox sssd_be[277476]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC has no support for encryption type)

Version-Release number of selected component (if applicable):

sssd-2.5.2-2.el8_5.4.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Alexey Tikhonov 2022-03-11 14:45:57 UTC 
(In reply to Abhijit Roy from comment #0)
> 
> GSSAPI Error: Unspecified GSS failure.  Minor code may provide more
> information (KDC has no support for encryption type) <--

Is the system in FIPS mode?


> As a result, sssd is segfaulting.
> Mar  3 07:46:05 RHELbox systemd-coredump[277473]: Resource limits disable
> core dumping for process 227946 (sssd_be).

Can you reproduce this?
If yes, please enable coredump and provide it.
Comment 3 Abhijit Roy 2022-03-11 18:48:00 UTC 
Hi,

Cus is not able to share coredump. But I have logs with and without `ad_enabled_domains`.
Comment 4 Alexey Tikhonov 2022-03-11 19:09:33 UTC 
(In reply to Abhijit Roy from comment #3)
> Hi,
> 
> Cus is not able to share coredump. But I have logs with and without
> `ad_enabled_domains`.

Is it reproducible? Maybe at least a backtrace?

And there is no answer about FIPS mode.