Description of problem: Systems configured with ldap/krb5 indentity/auth via authconfig can not ssh. Version-Release number of selected component (if applicable): sssd-1.14.1-1.fc23 krb5-libs-1.14.1-7.fc23 How reproducible: always Steps to Reproduce: 1. Setup ldap and krb5 servers and create some users there 2. Create sssd.conf and run authconfig 3. Although the user identity can be retrieved by getent passwd command ssh login does not work --- Additional comment from Lukas Slebodnik on 2016-08-03 09:27:37 EDT --- (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for sssdtester]. (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328254][Cannot read password] (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [map_krb5_error] (0x0020): 1365: [-1765328254][Cannot read password] (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x0200): Received error code 1432158218 (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [pack_response_packet] (0x2000): response packet size: [4] (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [k5c_send_data] (0x4000): Response sent. (Wed Aug 3 09:24:16 2016) [[sssd[krb5_child[20057]]]] [main] (0x0400): krb5_child completed successfully --- Additional comment from Jakub Hrozek on 2016-08-03 10:35:40 EDT --- Judging by the error messages, I wonder if this is a Kerberos bug someone reported to us on the sssd-users list earlier. You can see the whole thread here: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/D3C2DDA7EDIEPZLSWXE53TFY4GGAICRN/ But Sumit's response summed up what can be done to mitigate the issue: ~~~~~~~~~~~~~~~ Thanks I was able to reproduce the issue. After discussing it with a co-worker I opened http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 because we think it is originally an issue in the responder interface of MIT Kerberos. I would like to hear back from MIT before trying to fix the SSSD side. I'm pretty sure that authentication would work again if you enable pre-authentication for the user principals on the KDC # kadmin.local kadmin.local: modprinc +requires_preauth dave(a)LA-LA.LAN Is there a reason why pre-authentication is disabled? If not it is very, very, very recommended to enable it (not only to make SSSD work), see e.g. http://superuser.com/questions/200010/how-does-kerberos-preauthentication... for some explanations. bye, Sumit ~~~~~~~~~~~~~~~ Can you try if enabling preauthentication helps you as well? --- Additional comment from Jakub Hrozek on 2016-08-03 10:36:17 EDT --- btw the upstream bug report was http://krbdev.mit.edu/rt/Ticket/Display.html?id=8454 --- Additional comment from Patrik Kis on 2016-08-03 10:56:37 EDT --- I can confirm that preauth added for the test principal fixed the issue. Thank you for the investigation. --- Additional comment from Robbie Harwood on 2016-08-10 18:51:22 EDT --- I believe this is the upstream pull request for this bug (can you please confirm that?): https://github.com/krb5/krb5/pull/504/commits It looks rather complicated, but if you think it's not risky and the chance to introduce new regression is not too high, I think we should add it. --- Additional comment from Robbie Harwood on 2016-08-11 12:53:06 EDT --- (In reply to Patrik Kis from comment #25) > (In reply to Robbie Harwood from comment #23) > I believe this is the upstream pull request for this bug (can you please > confirm that?): > https://github.com/krb5/krb5/pull/504/commits > > It looks rather complicated, but if you think it's not risky and the chance > to introduce new regression is not too high, I think we should add it. That is the correct PR. However, we would only pull in one of the commits - that is the first one: https://github.com/krb5/krb5/pull/504/commits/c45c43a82491f5c4487087cb424381e884559433
krb5-1.14.3-8.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-1d28afd486
krb5-1.14.3-8.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4a36663643
krb5-1.14.3-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-087e6ea4ce
krb5-1.14.3-8.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1d28afd486
krb5-1.14.3-8.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4a36663643
krb5-1.14.3-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-087e6ea4ce
krb5-1.14.3-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.14.3-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.14.3-8.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.