Bug 892197

Summary: Incorrect principal searched for in keytab
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.4CC: dpal, grajaiya, jgalipea, okos, pbrezina, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-65.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 895654    

Description Jakub Hrozek 2013-01-05 20:13:14 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1740

SSSD attempts to use fqdn$@DOMAIN rather than shorthostname$@DOMAIN.  This means it fails to find a usable credential on a machine joined to Active Directory, and is looking for a principal that's very unlikely to exist.

Since 4ee7f390af4193656c1e6ba45c9c3c14dd64a8a9, searching for *$ has been removed, so the short form is never found.  As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.
Comment 2 Jakub Hrozek 2013-01-07 14:51:59 UTC 
To test, enroll a machine with AD.

Check the keytab with klist -k, usually the keytab will contain both host/hostname@REALM and SHORTNAME$@REALM. Without the patch, you'll have to specify ldap_sasl_authid manually, with the patch, the SSSD should select the correct principal on its own.
Comment 5 Kaushik Banerjee 2013-01-14 12:50:28 UTC 
Verified in version 1.9.2-68

Report from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_009 bz892197 ad_domain is valid and principal should default to SHORTHOST$
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Trying to find principal DELL-T7400-01$@SSSDAD.COM'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Principal matched to the sample (DELL-T7400-01$@SSSDAD.COM)'
:: [   PASS   ] :: Running 'getent passwd testuser01'
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success testuser01 Secret123'
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: adprovider_009 bz892197 ad_domain is valid and principal should default to SHORTHOST$
Comment 6 errata-xmlrpc 2013-02-21 09:43:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html