Bug 1288214 - Cannot authenticate AD trust users after disconnecting network
Cannot authenticate AD trust users after disconnecting network
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 16:15 EST by Jakub Hrozek
Modified: 2016-07-20 16:21 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-23 13:46:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2015-12-03 16:15:20 EST
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2866

We have an IPA/AD trust.  If I disconnect from the network and then try to login as an AD user it fails.  It appears that sssd is not properly going into offline mode.  No idea why it still shows the server name as resolving (probably cached), or why the connection timeout does not appear to trigger offline mode.

sssd-1.12.2-58.el7_1.18.x86_64

sssd_domain.log:
{{{
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_req_set_domain] (0x0400): Changing request domain from [nwra.com] to [ad.nwra.com]
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): domain: ad.nwra.com
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): user: user@ad.nwra.com
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): service: kdm
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): tty: :0
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): ruser:
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): rhost:
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): authtok type: 1
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): priv: 1
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): cli_pid: 11253
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [pam_print_data] (0x0100): logon name: not set
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_resolve_server_process] (0x0200): Found address for server ipa.server.com: [X.X.X.X] TTL 86400
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][ad.nwra.com]
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][ad.nwra.com]
(Wed Nov 11 11:03:09 2015) [sssd[be[nwra.com]]] [child_sig_handler] (0x0100): child [11465] finished successfully.
(Wed Nov 11 11:03:11 2015) [sssd[be[nwra.com]]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [110]: Connection timed out
(Wed Nov 11 11:03:11 2015) [sssd[be[nwra.com]]] [ipa_get_ad_override_done] (0x0040): ipa_get_ad_override request failed.
(Wed Nov 11 11:03:11 2015) [sssd[be[nwra.com]]] [ipa_subdomain_account_got_override] (0x0040): IPA override lookup failed: 110
(Wed Nov 11 11:03:11 2015) [sssd[be[nwra.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,110,Account info lookup failed
}}}

pam messages:
{{{
Nov 11 10:54:10 pacas.cora.nwra.com kdm[11151]: :0[11151]: pam_unix(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=user
Nov 11 10:55:08 pacas.cora.nwra.com kdm[11151]: :0[11151]: pam_sss(kdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=user
Nov 11 10:55:08 pacas.cora.nwra.com kdm[11151]: :0[11151]: pam_sss(kdm:auth): received for user user: 4 (System error)
}}}

sssd.conf:
{{{
[domain/nwra.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = nwra.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
ipa_server = _srv_, ipa.server.com
dns_discovery_domain = nwra.com
ipa_automount_location = boulder
override_shell = /bin/bash
debug_level = 6

[sssd]
services = nss, sudo, pam, ssh, autofs
config_file_version = 2
domains = nwra.com
#full_name_format = %1$s
default_domain_suffix = ad.nwra.com
debug_level = 6
}}}

{{{
# grep hosts /etc/nsswitch.conf
hosts:      files dns mdns4_minimal myhostname
}}}
Comment 1 Jakub Hrozek 2015-12-07 10:12:30 EST
Fixed upstream in 9f69dff2af5ee0e922ca75efa9749913fd2d944f 

Also related was: 54189e0a2f24a2951d95a2ec5da3125a52e2f5ed
Comment 2 Mike McCune 2016-03-28 19:37:25 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 4 RHEL Product and Program Management 2016-06-23 11:56:12 EDT
Quality Engineering Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 5 Lukas Slebodnik 2016-06-23 13:18:46 EDT
I do not think this bug should be closed as won't fix. Patch is available in upstream
Comment 7 Orion Poplawski 2016-07-20 16:21:42 EDT
Looks good to me with 1.14.0.  Thanks.

Note You need to log in before you can comment on or make changes to this bug.