Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2186 I have configured FreeIPA with two-factor authentication and set up SSSD to try FAST. SSSD runs on IPA master itself: {{{ krb5_use_fast = try krb5_fast_principal = host/master.ipa.test }}} When trying to login through SSH to the master.ipa.test, I've entered OTP key and in SSSD logs I can see that SSSD krb5 child did negotiate FAST, obtained the ticket for the user and finally stored it in the keyring ccache. However, SSSD's domain child did receive a response back that it didn't understand, therefore, full logon failed.
This bug is not intended to be tested, just sanity only.
Verified SanityOnly with version 1.11.2-29 as all the krb5_fast_principal tests pass with this build. Output of beaker automation run: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_001 valid principal :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM in keytab' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM)' krb5-fast-principal-001-valid-principal result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_002 invalid principal :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid@EXAMPLE.COM in keytab' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid@EXAMPLE.COM found in keytab' krb5-fast-principal-002-invalid-principal result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_003 principal@TEST.COM :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal@TEST.COM in keytab' krb5-fast-principal-003-principal-TEST-COM result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_004 null principal :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' krb5-fast-principal-004-null-principal result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_005 valid principal and krb5_validate=true :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM in keytab' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Principal matched to the sample (host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM)' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM\]' krb5-fast-principal-005-valid-principal-and-krb5-validate-true result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_006 invalid principal and krb5_validate=true :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal invalid@EXAMPLE.COM in keytab' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'No principal matching invalid@EXAMPLE.COM found in keytab' krb5-fast-principal-006-invalid-principal-and-krb5-validate-true result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_007 principal@TEST.COM and krb5_validate=true :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_failure user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal principal@TEST.COM in keytab' krb5-fast-principal-007-principal-TEST-COM-and-krb5-validate-true result: PASS :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: krb5_fast_principal_008 null principal and krb5_validate=true :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Redirecting to /bin/systemctl stop sssd.service Redirecting to /bin/systemctl start sssd.service :: [ PASS ] :: Running 'strict eval 'auth_success user_fast Secret123'' (Expected 0, got 0) :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'Trying to find principal (null)@EXAMPLE.COM' :: [ PASS ] :: File '/var/log/sssd/krb5_child.log' should contain 'TGT verified using key for \[host/ibm-hs23-01.rhts.eng.bos.redhat.com@EXAMPLE.COM\]'
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.