Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1051016 - FAST does not work in SSSD 1.11.2 in Fedora 20
Summary: FAST does not work in SSSD 1.11.2 in Fedora 20
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-09 14:50 UTC by Dmitri Pal
Modified: 2020-05-02 17:35 UTC (History)
6 users (show)

Fixed In Version: sssd-1.11.2-24.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:20:00 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3228 0 None None None 2020-05-02 17:35:04 UTC

Description Dmitri Pal 2014-01-09 14:50:01 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2186

I have configured FreeIPA with two-factor authentication and set up SSSD to try FAST. SSSD runs on IPA master itself:
{{{
krb5_use_fast = try
krb5_fast_principal = host/master.ipa.test
}}}

When trying to login through SSH to the master.ipa.test, I've entered OTP key and in SSSD logs I can see that SSSD krb5 child did negotiate FAST, obtained the ticket for the user and finally stored it in the keyring ccache. However, SSSD's domain child did receive a response back that it didn't understand, therefore, full logon failed.

Comment 1 Jakub Hrozek 2014-01-09 15:53:28 UTC
This bug is not intended to be tested, just sanity only.

Comment 3 Kaushik Banerjee 2014-01-22 17:38:40 UTC
Verified SanityOnly with version 1.11.2-29 as all the krb5_fast_principal tests pass with this build.

Output of beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_001 valid principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM)' 
krb5-fast-principal-001-valid-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_002 invalid principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid@EXAMPLE.COM in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid@EXAMPLE.COM found in keytab' 
krb5-fast-principal-002-invalid-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_003 principal@TEST.COM
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal@TEST.COM in keytab' 
krb5-fast-principal-003-principal-TEST-COM result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_004 null principal
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' 
krb5-fast-principal-004-null-principal result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_005 valid principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM)' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM\]' 
krb5-fast-principal-005-valid-principal-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_006 invalid principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid@EXAMPLE.COM in keytab' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid@EXAMPLE.COM found in keytab' 
krb5-fast-principal-006-invalid-principal-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_007 principal@TEST.COM and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal@TEST.COM in keytab' 
krb5-fast-principal-007-principal-TEST-COM-and-krb5-validate-true result: PASS

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb5_fast_principal_008 null principal and krb5_validate=true
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Redirecting to /bin/systemctl stop  sssd.service
Redirecting to /bin/systemctl start  sssd.service
:: [   PASS   ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' 
:: [   PASS   ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM\]'

Comment 4 Ludek Smid 2014-06-13 11:20:00 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.