1184639 – authconfig puts bogus krb5_realm = # in /etc/sssd/sssd.conf

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1184639 - authconfig puts bogus krb5_realm = # in /etc/sssd/sssd.conf

Summary: authconfig puts bogus krb5_realm = # in /etc/sssd/sssd.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	authconfig
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	Dalibor Pospíšil
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-21 21:33 UTC by Orion Poplawski
Modified:	2015-11-19 12:44 UTC (History)
CC List:	7 users (show)
Fixed In Version:	authconfig-6.2.8-10.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:44:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
authconfig --test output (1.88 KB, text/plain) 2015-01-28 20:24 UTC, Orion Poplawski	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2403	0	normal	SHIPPED_LIVE	authconfig bug fix and enhancement update	2015-11-19 11:04:43 UTC

Description Orion Poplawski 2015-01-21 21:33:42 UTC

Description of problem:

Fresh ScientificLinux 7.0 install. Initial authconfig is:

authconfig --enablemd5 --enableshadow --disablefingerprint --enableldap --enableldapauth --ldapserver=server1,server2 --ldapbasedn=dc=domain,dc=com --enableldaptls --ldaploadcacert=http://url/ --disablefingerprint

with an extra:

/usr/sbin/authconfig --update --nostart --ldaploadcacert=http://url/

Results in /etc/sssd/sssd.conf:

[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #

This krb5_realm = # then causes more problems later when configuring /etc/krb5.conf.

Version-Release number of selected component (if applicable):
authconfig-6.2.8-8.el7.x86_64

Additional info:
https://fedorahosted.org/freeipa/ticket/4859

Comment 2 Tomas Mraz 2015-01-22 10:07:21 UTC

Could you please attach the 'authconfig --test' output after the initial authconfig run and after the second run?

Comment 3 Orion Poplawski 2015-01-28 20:24:06 UTC

Created attachment 985334 [details]
authconfig --test output

authconfig --test output is identical before and after the authconfig --update run.  Looks like the realm is there from the start:

pam_krb5 is disabled
 krb5 realm = "#"

this was with 7.1 beta

Comment 4 Martin Kosek 2015-02-11 13:48:18 UTC

Tomas, I see you got this bug to assigned state. Do you know what is the root cause then? What is the impact for IPA/IdM in RHEL?

Comment 5 Tomas Mraz 2015-02-16 11:09:43 UTC

There is a bug in authconfig when parsing the realms from krb5.conf when there is no realm configured.

Not sure about the impact for IPA.

Comment 6 Ryan Sawhill 2015-03-25 15:48:21 UTC

I'd like to offer what I think is another manifestation of this:

Scenario: 

* You open authconfig-gtk to configure kerberos auth for the first time.
* You see the realm field prefilled with a hashmark (#)
* You assume that is supposed to stay, and you add your realm after it (e.g., "#EXAMPLE.COM")
* You apply changes and nothing works

In this scenario, sssd fails to start.

The problem is that using authconfig to put a hash at the beginning of your realm setting leads to this in krb5.conf:

    [libdefaults]
     default_realm = #EXAMPLE.COM
    [realms]
     #EXAMPLE.COM = {
      kdc = classroom.example.com
      admin_server = classroom.example.com
     }
    [domain_realm]
     #example.com = #EXAMPLE.COM
     .#example.com = #EXAMPLE.COM

From a little testing, it seems that that basically boils down to sssd seeing the following when it reads krb5.conf:

    [libdefaults]
     default_realm = 
    [realms]
      kdc = classroom.example.com
      admin_server = classroom.example.com
     }
    [domain_realm]
     .

So that's bad. Even worse is the fact that using authconfig to FIX this doesn't remove ANY of the bogus entries. For anyone having trouble following, here's what a run through on RHEL 7.0 looks like:

    [root@server0 ~]# yum install sssd krb5-workstation authconfig-gtk -y &>/dev/null
    [root@server0 ~]# rpm -q krb5-libs sssd authconfig
    krb5-libs-1.11.3-49.el7.x86_64
    sssd-1.11.2-65.el7.x86_64
    authconfig-6.2.8-8.el7.x86_64
    [root@server0 ~]# cp /etc/krb5.conf /etc/krb5.conf.orig
    [root@server0 ~]# systemctl status sssd
    sssd.service - System Security Services Daemon
       Loaded: loaded (/usr/lib/systemd/system/sssd.service; disabled)
       Active: inactive (dead)

    [root@server0 ~]# authconfig --enableldap --ldapserver=classroom.example.com --ldapbasedn=dc=example,dc=com --enableldaptls --ldaploadcacert=http://c/pub/example-ca.crt --enablekrb5 --krb5kdc=classroom.example.com --krb5adminserver=classroom.example.com --krb5realm='#EXAMPLE.COM' --update
    Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details.
    [root@server0 ~]# diff /etc/krb5.conf.orig /etc/krb5.conf
    14a15
    >  default_realm = #EXAMPLE.COM
    20a22,26
    >  #EXAMPLE.COM = {
    >   kdc = classroom.example.com
    >   admin_server = classroom.example.com
    >  }
    > 
    23a30,31
    >  #example.com = #EXAMPLE.COM
    >  .#example.com = #EXAMPLE.COM
    [root@server0 ~]# cp /etc/krb5.conf /etc/krb5.conf.broken
    [root@server0 ~]# authconfig --enableldap --ldapserver=classroom.example.com --ldapbasedn=dc=example,dc=com --enableldaptls --ldaploadcacert=http://c/pub/example-ca.crt --enablekrb5 --krb5kdc=classroom.example.com --krb5adminserver=classroom.example.com --krb5realm='EXAMPLE.COM' --update
    Job for sssd.service failed. See 'systemctl status sssd.service' and 'journalctl -xn' for details.
    [root@server0 ~]# diff /etc/krb5.conf.broken /etc/krb5.conf15c15
    <  default_realm = #EXAMPLE.COM
    ---
    >  default_realm = EXAMPLE.COM
    26a27,31
    >  EXAMPLE.COM = {
    >   kdc = classroom.example.com
    >   admin_server = classroom.example.com
    >  }
    > 
    31a37,38
    >  example.com = EXAMPLE.COM
    >  .example.com = EXAMPLE.COM

In case it isn't obvious, that last authconfig command only added new valid entries; look closely at diff and you'll see the only thing it fixed was the old default_realm setting.

Also, to be clear, the only way to fix this is manually edit krb5.conf (or remove it and reinstall krb5-libs).

@Tomas and friends: let me know if you feel this warrants a separate bz.

Comment 7 Tomas Mraz 2015-03-25 17:31:15 UTC

I don't think it is really worth it to try to automatically undo the eventual damage that was done. I'd recommend creating a KB article to cover this.

Comment 8 Ryan Sawhill 2015-03-25 17:36:01 UTC

@Tomas: Ok. I hear you. I can't help but point out that earlier versions of RHEL (and Fedora 22 alpha) did not prefill the realm field with hash mark ... I guess that's the point I'm trying to make.

Comment 9 Tomas Mraz 2015-03-25 17:39:00 UTC

I think this is rather a coincidence due to change of the contents of the default krb5.conf in the krb5 package. The routine that reads the file was not changed. So the bug was there in the authconfig code for long time but it did not manifest itself before.

Comment 15 errata-xmlrpc 2015-11-19 12:44:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2403.html

Note You need to log in before you can comment on or make changes to this bug.