1097286 – Expanding home directory fails when the request comes from the PAC responder

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1097286 - Expanding home directory fails when the request comes from the PAC responder

Summary: Expanding home directory fails when the request comes from the PAC responder

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1098608
TreeView+	depends on / blocked

Reported:	2014-05-13 13:36 UTC by Jakub Hrozek
Modified:	2020-05-02 17:42 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sssd-1.11.2-68
Doc Type:	Known Issue
Doc Text:	Cause: The code that handles saving user when handling requests on the IPA server failed when the request was a SID-to-name mapping. Consequence: As a result, users who were logging from Windows clients using GSSAPI had their membership set incorrectly as their groups could not be converted from SIDs. Workaround None Result N/A
Clone Of:
Environment:
Last Closed:	2015-03-05 10:27:57 UTC
Target Upstream Version:
Embargoed:
Flags:	nsoman: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3375	0	None	None	None	2020-05-02 17:42:22 UTC
Red Hat Product Errata	RHBA-2015:0441	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2015-03-05 15:05:27 UTC

Description Jakub Hrozek 2014-05-13 13:36:36 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2333

When a request for a user is a lookup by SID, typicaly when it comes from the PAC responder, we don't handle the request well and error out. This would be the symptoms:
{{{
[apply_subdomain_homedir] (0x0040): Unsupported filter type: [4]
}}}

Comment 1 Alexander Bokovoy 2014-05-13 13:39:53 UTC

Note that this is severe bug for Windows Server 2012 interoperability. Without the fix in place, no single sign-on is possible with SSSD. This largerly kills the benefit of Kerberos cross-forest trusts.

Comment 2 Jakub Hrozek 2014-05-13 13:43:52 UTC

(In reply to Alexander Bokovoy from comment #1)
> Note that this is severe bug for Windows Server 2012 interoperability.
> Without the fix in place, no single sign-on is possible with SSSD. This
> largerly kills the benefit of Kerberos cross-forest trusts.

Clarification -- the bug *only* hits the SSSD in server mode, not the clients. But I agree this is a bad one and would prevent the AD admins from logging in to the IDM servers.

Comment 3 Jakub Hrozek 2014-05-13 13:49:32 UTC

To reproduce, login with GSSAPI on the IPA client:

ssh -k -l Administrator `hostname`

Comment 4 Namita Soman 2014-05-13 13:49:32 UTC

Please add steps to reproduce/verify this issue

Comment 5 Namita Soman 2014-05-13 13:50:40 UTC

refreshed page and saw you already added steps - thanks :)

Comment 6 Jakub Hrozek 2014-05-13 13:50:55 UTC

(In reply to Jakub Hrozek from comment #3)
> To reproduce, login with GSSAPI on the IPA client:
> 
> ssh -k -l Administrator `hostname`

Err, I'm sorry, I meant to say login with GSSAPI on the IPA *SERVER*.

Comment 7 Namita Soman 2014-05-13 15:03:33 UTC

when would response come from PAC responder, versus not from PAC responder?
 
Also please include info about pkg versions for server and client, and /etc/redhat-release to help reproduce.

Comment 8 Namita Soman 2014-05-13 15:09:40 UTC

also - why is the user logging into the server? isn't a ad user typically logging into the client?

Comment 9 Jakub Hrozek 2014-05-13 15:12:33 UTC

(In reply to Namita Soman from comment #7)
> when would response come from PAC responder, versus not from PAC responder?
>  

When logging with GSSAPI

> Also please include info about pkg versions for server and client, and
> /etc/redhat-release to help reproduce.

RHEL7 latest as of today.

Comment 10 Jakub Hrozek 2014-05-13 15:13:01 UTC

(In reply to Namita Soman from comment #8)
> also - why is the user logging into the server? isn't a ad user typically
> logging into the client?

The AD admin might want to perform maintenance on the server.

Comment 13 Jakub Hrozek 2014-05-15 16:19:25 UTC

Proposing for RHEL7 0day

Comment 19 Steeve Goveas 2014-11-24 10:51:49 UTC

Verified in version

* Passwordless login on IPA Server

[root@gizmo ~]# rpm -q sssd
sssd-1.12.2-12.el7.x86_64

[root@gizmo ~]# grep ipa_server /etc/sssd/sssd.conf
ipa_server = _srv_, ibm-x3620m3-01.steeve2011.test

[root@gizmo ~]# kdestroy -A

[root@gizmo ~]# echo Secret123 | kinit Administrator
Password for Administrator: 

[root@gizmo ~]# ssh -K -l Administrator ibm-x3620m3-01.steeve2011.test
Creating home directory for Administrator.

-sh-4.2$ pwd
/home/adtest.qe/administrator

-sh-4.2$ id
uid=1148400500(administrator) gid=1148400500(administrator) groups=1148400500(administrator),1148400512(domain admins),1148400513(domain users),1148400518(schema admins),1148400519(enterprise admins),1148400520(group policy creator owners) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ logout
Connection to ibm-x3620m3-01.steeve2011.test closed.

* Passwordless login on IPA client

[root@gizmo ~]# ssh -K -l Administrator `hostname`
Creating home directory for Administrator.

-sh-4.2$ hostname
gizmo.steeve2011.test

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:1148400500:1148400500
Default principal: Administrator

Valid starting       Expires              Service principal
11/24/2014 02:18:03  11/24/2014 12:07:31  krbtgt/ADTEST.QE
	renew until 11/25/2014 02:07:30

Comment 21 errata-xmlrpc 2015-03-05 10:27:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html

Note You need to log in before you can comment on or make changes to this bug.