Bug 2088817

Summary: pam_sss_gss ceased to work after upgrade to 8.6
Product: Red Hat Enterprise Linux 8 Reporter: Tomasz Kepczynski <tomek>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.6CC: afarley, atikhono, ccallaha, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sam, sgadekar, tscherf
Target Milestone: rcKeywords: Regression, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.2-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2089244 (view as bug list) Environment:
Last Closed: 2022-11-08 10:51:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2089244    

Description Tomasz Kepczynski 2022-05-20 21:21:40 UTC 
Description of problem:
I've recently upgraded AlmaLinux from 8.5 to 8.6.
I am using pam_sss_gss together with sudo.
This setup ceased to work under certain circumstances:
- it does NOT work when logged in using sss with gssapi-keyex authentication
- it works when logged in on Linux console (both text and sddm work).

Version-Release number of selected component (if applicable):
sssd-client-2.6.2-4.el8_6.x86_64

How reproducible:
Always, as described above.

Steps to Reproduce:
1. Log in using ssh and GSSAPI authentication to IPA client system.
2. Add 'auth sufficient pam_sss_gss.so' as the first line to /etc/pam.d/sudo and configure sssd.conf for the above.
3. Invoke 'sudo -l'. It asks for password while it should succeed with sss gss authentication.
4. When debug is enabled the following is printed:
pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory

Actual results:
SSSD GSS authentication fails. sudo prompts for password.

Expected results:
SSSD GSS authentication succeeds. No password prompt.

Additional info:
This is caused by introduction of 'sss_cli_getenv' function in pam_sss_gss.c file and mishandling the NULL result from 'getenv' function. NULL is perfectly valid and SHOULD NOT result in error (ENOENT) returned by this function, especially that this case is properly handled by previous version of the module where default cache is picked (from sssd-client-2.5.2).

Please note the comment above call to 'sss_cli_getenv':
/* Get non-default ccache if specified, may be NULL. */
clearly indicates that the requested environment variable is OPTIONAL. Please handle it as such.

The same issue exists on Fedora 35.
Comment 1 Alexey Tikhonov 2022-05-23 09:07:11 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6172
Comment 4 Alexey Tikhonov 2022-05-30 10:38:02 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6172

* `master`
    * 9aad30711a5928f0e8a3627305b6449291de507f - pam_sss_gss: KRB5CCNAME may be NULL
* `sssd-2-7`
    * 0eae7db9e06645ef88d0cf15672770776293edb5 - pam_sss_gss: KRB5CCNAME may be NULL
Comment 15 errata-xmlrpc 2022-11-08 10:51:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739
Comment 16 Red Hat Bugzilla 2023-09-18 04:37:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days