Bug 869071
Summary: | Password authentication for users from trusted domains does not work | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Scott Poore <spoore> | ||||
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> | ||||
Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.4 | CC: | abokovoy, asn, dpal, grajaiya, jgalipea, mkosek, pbrezina, sbose, sgoveas | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | sssd-1.9.2-5.el6 | Doc Type: | Bug Fix | ||||
Doc Text: |
No Documentation Needed
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-02-21 09:37:54 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Scott Poore
2012-10-22 23:11:20 UTC
Oh, and here's the version info: [root@rhel6-1 ~]# rpm -q ipa-server sssd samba4 ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64 sssd-1.9.90-0.20121019T0223zgit66318df.el6.x86_64 samba4-4.0.0-37.el6.rc3.x86_64 Upstream ticket: https://fedorahosted.org/sssd/ticket/1595 Created attachment 632246 [details]
sssd_testrelm.com log during failed ssh with password attempt
Entries from /var/log/secure: Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com user=testuser1 Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): system info: [Decrypt integrity check failed] Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com user=testuser1 Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): received for user testuser1: 7 (Authentication failure) Oct 23 13:56:42 rhel6-1 sshd[31804]: Failed password for testuser1 from 192.168.122.61 port 36843 ssh2 Oct 23 13:56:42 rhel6-1 sshd[31805]: Connection closed by 192.168.122.61 Entries from /var/log/messages: Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed Entries from /var/log/krb5kdc.log: Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: NEEDED_PREAUTH: testuser1 for krbtgt/TESTRELM.COM, Additional pre-authentication required Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Oh, here's confirmation on the version too: [root@rhel6-1 tmp]# rpm -q sssd sssd-1.9.90-0.20121023.1813.git8662356.el6.x86_64 Can you add your sssd.conf as well? (In reply to comment #8) > Can you add your sssd.conf as well? [root@rhel6-1 tmp]# cat /etc/sssd/sssd.conf [domain/default] cache_credentials = True [domain/testrelm.com] debug_level = 10 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = testrelm.com id_provider = ipa auth_provider = ipa access_provider = ipa subdomains_provider = ipa ipa_hostname = rhel6-1.testrelm.com chpass_provider = ipa ipa_server = rhel6-1.testrelm.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] debug_level = 10 services = nss, pam, ssh, pac config_file_version = 2 domains = testrelm.com [nss] [pam] [sudo] [autofs] [ssh] [pac] Can you retry with a clean cache? service sssd stop rm -f /var/lib/sss/mc/* /var/lib/sss/db/* service sssd start Ok, looks like it was a caching issue there: [root@rhel6-1 ~]# service sssd stop Stopping sssd: [ OK ] [root@rhel6-1 ~]# rm -f /var/lib/sss/mc/* /var/lib/sss/db/* [root@rhel6-1 ~]# > /var/log/sssd/sssd_testrelm.com.log [root@rhel6-1 ~]# service sssd start Starting sssd: [ OK ] [root@rhel6-1 ~]# ssh -l testuser1 rhel6-1.testrelm.com testuser1@rhel6-1.testrelm.com's password: Last login: Tue Oct 23 23:08:55 2012 from 192.168.122.23 id: cannot find name for group ID 1232801127 -sh-4.1$ So, it looks like the test rpm worked. Fixed upstream. [root@rasalghul ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: adlab.qe Domain NetBIOS name: ADLAB Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- [root@rasalghul ~]# kdestroy [root@rasalghul ~]# getent passwd fuser fuser:*:1979001104:1979001104::/home/adlab.qe/fuser: [root@rasalghul ~]# ssh -l fuser rasalghul.testrelm.com fuser@rasalghul.testrelm.com's password: Last login: Wed Nov 7 14:13:10 2012 from rasalghul.testrelm.com -sh-4.1$ pwd /home/adlab.qe/fuser -sh-4.1$ whoami fuser -sh-4.1$ id uid=1979001104(fuser) gid=1979001104(fuser) groups=1979001104(fuser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ logout Connection to rasalghul.testrelm.com closed. If I understand correctly, this one was found to be failing when the username (user@domain) is shorter than the IPA server domain name. So will still work in some cases. Expecting another fix from Dev for this asap. Will move this back to Assigned so it can be handled appropriately and doesn't get lost in the shuffle. Ok, The issue prompting me to move back to assigned was determined to be a different issue and warranted a separate bug https://bugzilla.redhat.com/show_bug.cgi?id=878262 I did confirm that when upn longer than IPA realm this still works. Moving this back to Verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0508.html |