Bug 2214563

Summary:	Passwordless (GSSAPI) SSH login failing with AD user
Product:	Red Hat Enterprise Linux 8	Reporter:	anuja <amore>
Component:	ipa	Assignee:	Julien Rische <jrische>
Status:	CLOSED ERRATA	QA Contact:	anuja <amore>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.9	CC:	abokovoy, frenaud, ftrivino, gkaihoro, rcritten, rjeffman, sumenon, tscherf
Target Milestone:	rc	Keywords:	Regression, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.9.12-4.module+el8.9.0+19227+ff8f095d	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-11-14 15:32:53 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description anuja 2023-06-13 12:04:44 UTC

Description of problem:
Passwordless (GSSAPI) SSH login not working with AD user

Version-Release number of selected component (if applicable):
ipa-server-4.9.12-2.module+el8.9.0+18921+013c0de2.x86_64

How reproducible:
Always

Steps to Reproduce:

Configure ipa-server with AD trust established.
AD domain is windows.test and a child domain sub1.windows.test contains the user aduser1
Obtain a kerberos ticket for aduser1 and use this ticket for ssh

Expected behavior

echo Secret123|kinit aduser1
Password for aduser1.TEST:
ssh -K -l aduser1 hostname 'echo Success'
Success

Actual results:
[root@client ~]# ssh -K -l nonposixuser `hostname` 'echo Success'
Password: 
Success
Could not chdir to home directory /home/win2019-4xwn.test/nonposixuser: No such file or directory

Expected results:
It should not prompt for password.

Comment 13 anuja 2023-07-17 15:04:17 UTC

Verified using test compose:
ipa-server-4.9.12-4.module+el8.9.0+19311+cb2600ad.x86_64                      

2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [  BEGIN   ] :: Running 'echo Secret123|kinit aduser1'
2023-07-17T13:11:30+0000 [] Password for aduser1: 
2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [   PASS   ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0)
2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [  BEGIN   ] :: Running 'timeout 60s             ssh -K -l aduser1 ip-234.ssh2k16.test 'echo login successful''
2023-07-17T13:11:33+0000 [] login successful
2023-07-17T13:11:33+0000 [] :: [ 09:11:32 ] :: [   PASS   ] :: Command 'timeout 60s             ssh -K -l aduser1 ip-234.ssh2k16.test 'echo login successful'' (Expected 0, got 0)

Working as expected thus marking bug as verified tested.

Comment 17 anuja 2023-07-21 06:47:42 UTC

Verified Using nightly build:
ipa-server-4.9.12-5.module+el8.9.0+19430+5c00c3bc.x86_64

2023-07-20T17:25:54+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:54 ] :: [   PASS   ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0)
2023-07-20T17:25:54+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:54 ] :: [  BEGIN   ] :: Running 'timeout 60s             ssh -K -l aduser1 ip-0-0-9-2.ssh2k16.test 'echo login successful''
2023-07-20T17:25:56+0000 [ip-0-0-9-2.rhos-] login successful
2023-07-20T17:25:56+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:55 ] :: [   PASS   ] :: Command 'timeout 60s             ssh -K -l aduser1 ip-0-0-9-2.ssh2k16.test 'echo login successful'' (Expected 0, got 0)

Comment 20 errata-xmlrpc 2023-11-14 15:32:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6977