Bug 2223442

Summary: SSSD should handle AD's behavior of handling Kerberos realms case-insensitive better. sssd was using stale entries from /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM
Product: Red Hat Enterprise Linux 8 Reporter: Abhijit Roy <abroy>
Component: sssdAssignee: jstephen
Status: NEW --- QA Contact: Dan Lavu <dlavu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.8CC: aboscatt, pbrezina, sbose
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhijit Roy 2023-07-17 21:45:46 UTC 
Description of problem:

Failed to lookup user since /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM has stale entries or decommissioned server.

Clearing the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM file resolves the issue.

SSSD should handle AD's behavior of handling Kerberos realms case-insensitive better. One possible fix might be to always create the realm part of the name of the kdcinfo file in upper-case letters (since there is a convention to use upper-case for realm names). Before that the directory should be checked for kdcinfo files for the same realm but different cases. The locator plugin itself should then use the upper-case name as a fallback in case a kdcinfo file with the realm received was not found. This is needed because the locator plugin is not aware of the type the KDC for different realms and in general Kerberos realms are case-sensitive.

Version-Release number of selected component (if applicable):

sssd-2.7.3-4.el8_7.3.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

sssd should clean up the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM periodically 

Additional info:

WORKAROUND: Clearing the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM file resolves the issue.