Bug 2095356

Summary: Password auth against FreeIPA server no longer works after update to Fedora 36
Product: [Fedora] Fedora Reporter: Thomas Boroske <boroske>
Component: sssdAssignee: sssd-maintainers <sssd-maintainers>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 36CC: abokovoy, atikhono, jhrozek, lslebodn, luk.claes, mhjacks, mzidek, pbrezina, sbose, ssorce, sssd-maintainers
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 16:21:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
krb5_child.log of attempt to login using password auth none

Description Thomas Boroske 2022-06-09 15:54:22 UTC 
Created attachment 1888388 [details]
krb5_child.log of attempt to login using password auth

I recently upgraded a fedora 35 system to fedora 36. 

After the upgrade, using any type of password auth against the freeipa server no longer works (ssh, su, sudo), only local user logins or ssh public key login. 

The problem seems to have to do with the new sssd package. 

I can see an error message in dmesg:

[  743.242553] sssd_be[848]: segfault at 18 ip 00007f9bd8b5559c sp 00007ffd21604bc0 error 4 in libc.so.6[7f9bd8aeb000+173000]


I also enabled debug logging in sssd.conf and got error messages in 

/var/log/sssd/krb5_child.log

excerpt (see attachment for full log of login attempt): 
[...]

(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0400): [RID#18] TGT verified using key for [host/zeus.net.ida].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856019: Retrieving thomasb -> host/zeus.net.ida from MEMORY:rd_req2 with result: 0/Success

(2022-06-09 14:51:22): [krb5_child[1808]] [sss_extract_pac] (0x0040): [RID#18] No PAC authdata available.
(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0020): [RID#18] PAC check failed for principal [thomasb].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856020: Destroying ccache MEMORY:rd_req2

(2022-06-09 14:51:22): [krb5_child[1808]] [get_and_save_tgt] (0x0020): [RID#18] 2045: [1432158308][Unknown code UUz 100]
(2022-06-09 14:51:22): [krb5_child[1808]] [map_krb5_error] (0x0020): [RID#18] [1432158308][PAC check failed].
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x0200): [RID#18] Received error code 1432158308
(2022-06-09 14:51:22): [krb5_child[1808]] [pack_response_packet] (0x2000): [RID#18] response packet size: [20]
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x4000): [RID#18] Response sent.
(2022-06-09 14:51:22): [krb5_child[1808]] [main] (0x0400): [RID#18] krb5_child completed successfully



I had to rollback the system to before the update for now but am willing to attempt again if additional data is needed.
Comment 1 Sumit Bose 2022-06-09 16:21:28 UTC 
As a work-around set

    pac_check = check_upn, check_upn_dns_info_ex

in the [pac] section of sssd.conf.

*** This bug has been marked as a duplicate of bug 2094685 ***