1370622 – Cannot authenticate with sssd-1.14 if there is no pre-auth

Bug 1370622 - Cannot authenticate with sssd-1.14 if there is no pre-auth

Summary: Cannot authenticate with sssd-1.14 if there is no pre-auth

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://krbdev.mit.edu/rt/Ticket/Displ...
Whiteboard:
Depends On:	1363690
Blocks:	1362179
TreeView+	depends on / blocked

Reported:	2016-08-26 19:51 UTC by Lukas Slebodnik
Modified:	2016-09-03 17:37 UTC (History)
CC List:	14 users (show)
Fixed In Version:	krb5-1.14.3-8.fc24 krb5-1.14.3-8.fc23 krb5-1.14.3-8.fc25
Clone Of:	1363690
Environment:
Last Closed:	2016-09-01 03:19:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2016-08-26 19:51:56 UTC

Description of problem:
Systems configured with ldap/krb5 indentity/auth via authconfig can not ssh.

Version-Release number of selected component (if applicable):
sssd-1.14.1-1.fc23
krb5-libs-1.14.1-7.fc23

How reproducible:
always

Steps to Reproduce:
1. Setup ldap and krb5 servers and create some users there
2. Create sssd.conf and run authconfig
3. Although the user identity can be retrieved by getent passwd command ssh login does not work

--- Additional comment from Lukas Slebodnik on 2016-08-03 09:27:37 EDT ---

(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for sssdtester].
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x0200): Received error code 1432158218
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [pack_response_packet] (0x2000): response packet size: [4]
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x4000): Response sent.
(Wed Aug  3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [main] (0x0400): krb5_child completed successfully

--- Additional comment from Jakub Hrozek on 2016-08-03 10:35:40 EDT ---

Judging by the error messages, I wonder if this is a Kerberos bug someone reported to us on the sssd-users list earlier.

You can see the whole thread here:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/D3C2DDA7EDIEPZLSWXE53TFY4GGAICRN/

But Sumit's response summed up what can be done to mitigate the issue:
~~~~~~~~~~~~~~~
Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side. I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC # kadmin.local kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN Is there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication... for some explanations. bye, Sumit
~~~~~~~~~~~~~~~

Can you try if enabling preauthentication helps you as well?

--- Additional comment from Jakub Hrozek on 2016-08-03 10:36:17 EDT ---

btw the upstream bug report was http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454

--- Additional comment from Patrik Kis on 2016-08-03 10:56:37 EDT ---

I can confirm that preauth added for the test principal fixed the issue.
Thank you for the investigation.

--- Additional comment from Robbie Harwood on 2016-08-10 18:51:22 EDT ---
I believe this is the upstream pull request for this bug (can you please confirm that?):
https://github.com/krb5/krb5/pull/504/commits

It looks rather complicated, but if you think it's not risky and the chance to introduce new regression is not too high, I think we should add it.

--- Additional comment from Robbie Harwood on 2016-08-11 12:53:06 EDT ---

(In reply to Patrik Kis from comment #25)
> (In reply to Robbie Harwood from comment #23)
> I believe this is the upstream pull request for this bug (can you please
> confirm that?):
> https://github.com/krb5/krb5/pull/504/commits
> 
> It looks rather complicated, but if you think it's not risky and the chance
> to introduce new regression is not too high, I think we should add it.

That is the correct PR.  However, we would only pull in one of the commits - that is the first one: https://github.com/krb5/krb5/pull/504/commits/c45c43a82491f5c4487087cb424381e884559433

Comment 1 Fedora Update System 2016-08-29 19:37:10 UTC

krb5-1.14.3-8.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1d28afd486

Comment 2 Fedora Update System 2016-08-29 19:38:04 UTC

krb5-1.14.3-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4a36663643

Comment 3 Fedora Update System 2016-08-29 19:38:40 UTC

krb5-1.14.3-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-087e6ea4ce

Comment 4 Fedora Update System 2016-08-31 03:52:33 UTC

krb5-1.14.3-8.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1d28afd486

Comment 5 Fedora Update System 2016-08-31 12:57:31 UTC

krb5-1.14.3-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4a36663643

Comment 6 Fedora Update System 2016-08-31 12:57:46 UTC

krb5-1.14.3-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-087e6ea4ce

Comment 7 Fedora Update System 2016-09-01 03:19:23 UTC

krb5-1.14.3-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-09-01 18:49:58 UTC

krb5-1.14.3-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-09-03 17:37:21 UTC

krb5-1.14.3-8.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.