Bug 785881
| Summary: | List the keytab to pick the princiapl to use instead of guessing | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Stephen Gallagher <sgallagh> |
| Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | grajaiya, jgalipea, jzeleny, ksiddiqu, prc |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.8.0-2.el6.beta2 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: IPA provider uses keytabs to authenticate against IPA server. The approach was to construct expected principal and then try to use it.
Consequence: In case the constructed principal wasn't in the keytab, the entire operation failed and the backend wasn't able to connect to IPA server.
Fix: The approach has been changed to list all principals in used keytab and pick the most convenient one
Result: current implementation has more flexible algorithm to find suitable principal in keytab
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 11:54:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stephen Gallagher
2012-01-30 20:19:17 UTC
please add steps to reproduce/verify this issue. thanks 1. Configure SSSD to perform operations against IPA server (CA certificate of IPA server and keytab of the host is of course required) 2. Configure log level 9 for the backend connecting to the IPA server 3. Start SSSD 4. Look into provider log file and look for following messages Message originating from select_principal_from_keytab about trying to find the most appropriate keytab. Messages originating from find_principal_in_keytab about trying to find a principal in keytab. At least one of these messages should not have its 'could not find' counterpart.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: IPA provider uses keytabs to authenticate against IPA server. The approach was to construct expected principal and then try to use it.
Consequence: In case the constructed principal wasn't in the keytab, the entire operation failed and the backend wasn't able to connect to IPA server.
Fix: The approach has been changed to list all principals in used keytab and pick the most convenient one
Result: current implementation has more flexible algorithm to find suitable principal in keytab
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html |