Bug 785907

<jgalipea> sgallagh, ping re: https://bugzilla.redhat.com/show_bug.cgi?id=785907
<jgalipea> sgallagh, how is this tested???

<sgallagh> jgalipea: It's a compatibility feature with older KDCs

<simo> jgalipea, the quick line is that it allows people to use bad cases in hostnames and have things still working

<simo> so that if you call your host QEnacksme.redhat.com you get back host/qenacksme.redhat.com
<simo> but our KDC can still check case-insensitively if canonicalization is requested
<simo> w/o that request the KDC will return that the principal was not found
<jgalipea> okay ... got it ... but assume they must user --hostname with ipa-client-install for that to work
<jgalipea> s/user/use
<simo> possibly
<simo> when I opened the bug I think we didn't check yet
<simo> but helps in general
<jgalipea> I think so cuz I saw another bug ... looking ...
<sgallagh> jgalipea: Incorrect
<simo> so if you ssh jgalipea@Myqemachine you can still get a ticket for myqemachine
<jgalipea> oh ... okay ... got it

sgallagh> jgalipea: if their machine hostname is JGALIPEA.redhat.com and they use ipa-client install, the host on the IPA server will be normalized to lowercase, but the client will try to use host/JGALIPEA.redhat.com 
<sgallagh> See https://bugzilla.redhat.com/show_bug.cgi?id=786237 for an example of this

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
A new option krb5_canonicalize has been added to SSSD configuration. When set to true, it will set a flag in krb5 request and the host and user principals will be canonicalized and returned to SSSD by server. Note that this feature requires Kerberos >= 1.7

Steps to verify this is needed.

This should be tested with older IPA server (I recall that Stephen suggested 2.1 should work). Just try to install ipa client with some part of your hostname uppercase. At least this is what I understand from comment 1.

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/rodimus.lab.eng.pnq.redhat.com

Valid starting     Expires            Service principal
05/30/12 10:16:30  05/31/12 10:16:30  krbtgt/EXAMPLE.COM
	renew until 05/30/12 10:16:30
05/30/12 10:20:30  05/31/12 10:16:30  host/rodimus.lab.eng.pnq.redhat.com
	renew until 05/30/12 10:16:30

# hostname
RODIMUS.lab.eng.pnq.redhat.com



#########################################################################
WITH "krb5_canonicalize = true"
sssd.conf

[domain/example.com]
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://goldbug.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = False
debug_level = 9
krb5_server = goldbug.lab.eng.pnq.redhat.com
krb5_realm = EXAMPLE.COM
krb5_canonicalize = true
krb5_validate = true
ldap_sasl_mech = GSSAPI
krb5_keytab = /etc/krb5.keytab

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

# getent passwd blah

sssd domain log

{{{

(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 27
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [7972]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [7972]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x250e300], connected[1], ops[(nil)], ldap[0x250e4e0]
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed May 30 14:14:59 2012) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_EXAMPLE.COM], expired on [13
38488099]
(Wed May 30 14:15:00 2012) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [child_sig_handler] (0x1000): Waiting for child [7972].
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [child_sig_handler] (0x0100): child [7972] finished successfully.
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [dc=example,dc=com]
(Wed May 30 14:15:01 2012) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=blah)(objectclass=posixAccount)

}}}


#############################################################################
WITH "krb5_canonicalize = false"
sssd.conf
# cat /etc/sssd/sssd.conf 
[domain/example.com]
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://goldbug.lab.eng.pnq.redhat.com
ldap_search_base = dc=example,dc=com
cache_credentials = true
enumerate = False
debug_level = 9
krb5_server = goldbug.lab.eng.pnq.redhat.com
krb5_realm = EXAMPLE.COM
krb5_canonicalize = false
krb5_validate = true
ldap_sasl_mech = GSSAPI
krb5_keytab = /etc/krb5.keytab

[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.com
[nss]

[pam]

[sudo]

[autofs]


# getent -s sss passwd shanks

sssd domain log

{{{

(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [create_tgt_req_send_buffer] (0x1000): buffer size: 27
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [8072]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [8072]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x155a870], connected[1], ops[(nil)], ldap[0x155aad0]
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed May 30 14:23:42 2012) [sssd[be[example.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_EXAMPLE.COM], expired on [1338488623]
(Wed May 30 14:23:43 2012) [sssd[be[example.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: (null)
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [child_sig_handler] (0x1000): Waiting for child [8072].
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [child_sig_handler] (0x0100): child [8072] finished successfully.
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [set_server_common_status] (0x0100): Marking server 'goldbug.lab.eng.pnq.redhat.com' as 'working'
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_id_op_connect_done] (0x4000): notify connected to op #1
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [dc=example,dc=com]
(Wed May 30 14:23:45 2012) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=shanks)(objectclass=posixAccount))][dc=example,dc=com].

}}}

Both true and false are working, it would have been expected that with "false", the lookup would not have been successful.  But because of the fix for https://bugzilla.redhat.com/show_bug.cgi?id=785881 ... they are now both successfu.

Marking bug VERFIED

version ::

sssd-1.8.0-32.el6.x86_64

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0747.html