1372753 – Access denied for user when access_provider = krb5 is set in sssd.conf

Bug 1372753 - Access denied for user when access_provider = krb5 is set in sssd.conf

Summary: Access denied for user when access_provider = krb5 is set in sssd.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Steeve Goveas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-02 14:47 UTC by Amith
Modified:	2020-05-02 18:28 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-1.14.0-38.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 07:21:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
SSSD Log file (280.73 KB, text/plain) 2016-09-02 14:47 UTC, Amith	no flags	Details
Log details from /var/log/secure (2.90 KB, text/plain) 2016-09-02 14:49 UTC, Amith	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4205	None	closed	Access denied for user when access_provider = krb5 is set in sssd.conf	2020-06-26 19:26:01 UTC
Red Hat Product Errata	RHEA-2016:2476	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-11-03 14:08:11 UTC

Description Amith 2016-09-02 14:47:24 UTC

Created attachment 1197226 [details]
SSSD Log file

Description of problem:
This issue was observed during the automated regression rounds on LDAP + KRB server setup. When access_provider = krb5 is set in sssd.conf, authentication fails for krb users with following error in /var/log/secure:

pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser3
pam_sss(sshd:account): Access denied for user testuser3: 6 (Permission denied)
sshd[30217]: Failed password for testuser3 from ::1 port 43342 ssh2
fatal: Access denied for user testuser3 by PAM account configuration [preauth]

However, user authentication works only when the user is added to .k5login file within user's home directory, which means we have to first create the file .k5login and add the user.


Version-Release number of selected component (if applicable):
sssd-1.14.0-30.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup a 389DS LDAP server and KRB server.

2. Add a testuser to LDAP server and add the same user to KRB server. See cmd below:
 # kadmin.local -q "addprinc -pw Secret123 testuser"

3. Setup a RHEL-7.3 SSSD client system with the following configuration:

SSSD.CONF File
--------------------------------------
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 9
id_provider = ldap
ldap_uri = ldap://<LDAP_SERVER>
ldap_search_base = dc=example,dc=com
auth_provider = krb5
access_provider = krb5
krb5_server = <KRB_SERVER>
krb5_realm = EXAMPLE.COM

4. Execute user auth. (auth fails)

# ssh -l testuser localhost
testuser@localhost's password: 
Connection closed by ::1

5. Create the user's home directory and then create .k5login file within it.

6. Add the user name to it: testuser@EXAMPLE.COM

7. Execute user auth (auth succeeds) and monitor the log files

Actual results:
User authentication fails and works only when .k5login file is created & set with username in it. Also attached log files for review.

Expected results:
User authentication should work without creating .k5login file and when access_provider = krb5 is set. This used to work in older RHEL versions.

Additional info:

Comment 1 Amith 2016-09-02 14:49:04 UTC

Created attachment 1197230 [details]
Log details from /var/log/secure

Comment 3 Lukas Slebodnik 2016-09-02 20:56:09 UTC

Authentication passed but access was denied in account phase.

Sep  2 19:11:55 vm-idm-012 sshd[24320]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=testuser3
Sep  2 19:11:55 vm-idm-012 sshd[24320]: pam_sss(sshd:account): Access denied for user testuser3: 6 (Permission denied)

Please provide sssd log file from domain section with high debug_level.

Comment 7 Lukas Slebodnik 2016-09-05 10:04:38 UTC

krb5_child log for "account" pam phase:

[[sssd[krb5_child[23070]]]] [main] (0x0400): krb5_child started.
[[sssd[krb5_child[23070]]]] [unpack_buffer] (0x1000): total buffer size: [76]
[[sssd[krb5_child[23070]]]] [unpack_buffer] (0x0100): cmd [243] uid [2004] gid [2004] validate [false] enterprise principal [false] offline [false] UPN [testuser4@EXAMPLE.COM]
[[sssd[krb5_child[23070]]]] [unpack_buffer] (0x0100): user: [testuser4@ldap-krb5]
[[sssd[krb5_child[23070]]]] [check_use_fast] (0x0100): Not using FAST. 
[[sssd[krb5_child[23070]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
[[sssd[krb5_child[23070]]]] [become_user] (0x0200): Trying to become user [2004][2004].
[[sssd[krb5_child[23070]]]] [main] (0x2000): Running as [2004][2004].
[[sssd[krb5_child[23070]]]] [become_user] (0x0200): Trying to become user [2004][2004].
[[sssd[krb5_child[23070]]]] [become_user] (0x0200): Already user [2004].
[[sssd[krb5_child[23070]]]] [k5c_setup] (0x2000): Running as [2004][2004].
[[sssd[krb5_child[23070]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
[[sssd[krb5_child[23070]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment.
[[sssd[krb5_child[23070]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [false]
[[sssd[krb5_child[23070]]]] [main] (0x0400): Will perform account management
[[sssd[krb5_child[23070]]]] [kuserok_child] (0x1000): Verifying if principal can log in as user
[[sssd[krb5_child[23070]]]] [kuserok_child] (0x1000): Access was denied
[[sssd[krb5_child[23070]]]] [k5c_send_data] (0x0200): Received error code 1432158224
[[sssd[krb5_child[23070]]]] [pack_response_packet] (0x2000): response packet size: [4]
[[sssd[krb5_child[23070]]]] [k5c_send_data] (0x4000): Response sent.
[[sssd[krb5_child[23070]]]] [main] (0x0400): krb5_child completed successfully

Comment 8 Lukas Slebodnik 2016-09-05 10:06:35 UTC

(In reply to Lukas Slebodnik from comment #7)
> krb5_child log for "account" pam phase:
> 
> [[sssd[krb5_child[23070]]]] [main] (0x0400): krb5_child started.
> [[sssd[krb5_child[23070]]]] [unpack_buffer] (0x1000): total buffer size: [76]
> [[sssd[krb5_child[23070]]]] [unpack_buffer] (0x0100): cmd [243] uid [2004]
> gid [2004] validate [false] enterprise principal [false] offline [false] UPN
> [testuser4@EXAMPLE.COM]
> [[sssd[krb5_child[23070]]]] [unpack_buffer] (0x0100): user:
> [testuser4@ldap-krb5]
   ^^^^^^^^^^^^^^^^^^^
It looks like an issue caused by sysdb refactoring (fully qualified names).
I let fixing for others. I'm busy with other tasks.

Comment 9 Lukas Slebodnik 2016-09-05 10:08:52 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/3172

Comment 10 Jakub Hrozek 2016-09-05 10:20:33 UTC

(In reply to Lukas Slebodnik from comment #8)
> It looks like an issue caused by sysdb refactoring (fully qualified names).
> I let fixing for others. I'm busy with other tasks.

I broke it, I'll fix the issue..

Comment 12 Lukas Slebodnik 2016-09-08 21:09:48 UTC

master:
* fedfb7c62b4efa89d18d0d3a7895a2a34ec4ce42

Comment 14 Amith 2016-09-21 15:18:10 UTC

Verified the bug on SSSD Version: sssd-1.14.0-42.el7.x86_64

This bug was logged due to failures in "Krb Access provider" test suite during the regression rounds. Successfully verified the bug with the latest SSSD build.  See the beaker job log details:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: krb access provider setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: Command 'strict eval 'getent -s sss passwd testuser3'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'getent -s sss passwd testuser4'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser4 Secret123'' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 21s
:: [   LOG    ] :: Assertions: 4 good, 0 bad
:: [   PASS   ] :: RESULT: krb access provider setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: accessProvider_krb5_001 .k5login is an empty file.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'strict eval 'auth_failure testuser3 Secret123'' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/secure' should contain 'pam_sss(sshd:auth): authentication success' 
:: [   PASS   ] :: File '/var/log/secure' should contain 'pam_sss(sshd:account): Access denied for user testuser3' 
:: [   PASS   ] :: File '/var/log/sssd/sssd_LDAP-KRB5.log' should contain 'Access denied for user \[testuser3' 
:: [   PASS   ] :: Command 'strict eval 'auth_success testuser4 Secret123'' (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: accessProvider_krb5_001 .k5login is an empty file.

Comment 16 errata-xmlrpc 2016-11-04 07:21:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html

Comment 17 Ranjandas 2017-02-06 06:55:59 UTC

I am finding the same issue in sssd-1.14.0-43.el7_3.11.x86_64.

# SSSD Configuration

[sssd]
services = nss, pam
domains = example.com
config_file_version =2

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/EXAMPLE.COM]
debug_level = 6

fallback_homedir = /home/%u
default_shell = /bin/bash

id_provider = ldap
ldap_uri = ldap://<ldap server>:389,ldap://<ldap server>:389
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = <Bind DN Account>


ldap_default_authtok_type = password
ldap_default_authtok = <password>

ldap_id_mapping= True
ldap_schema = ad
ldap_force_upper_case_realm = True

auth_provider = krb5
krb5_server = <kdc server>
krb5_realm = EXAMPLE.COM

case_sensitive = False
cache_credentials = True
ldap_referrals = false

Output of /var/log/secure
=========================

Feb  6 17:43:58 ip-10-0-13-92 sshd[19464]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.242.72.200 user=testuser1
Feb  6 17:43:58 ip-10-0-13-92 sshd[19464]: pam_krb5[19464]: account checks fail for 'testuser1@EXAMPLE.COM': user disallowed by .k5login file for 'testuser1'
Feb  6 17:44:44 ip-10-0-13-92 sshd[19506]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.242.72.200 user=testuser2
Feb  6 17:44:44 ip-10-0-13-92 sshd[19506]: pam_krb5[19506]: account checks fail for 'testuser2@EXAMPLE.COM': user disallowed by .k5login file for 'testuser2'

Comment 18 Jakub Hrozek 2017-02-06 07:03:12 UTC

Hi,

I'm afraid a comment to an old bugzilla would be just lost. Can you open a new bugzilla or an upstream ticket with the required information (see https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs and https://fedorahosted.org/sssd/wiki/Troubleshooting)

Comment 19 Ranjandas 2017-02-07 04:13:00 UTC

(In reply to Jakub Hrozek from comment #18)
> Hi,
> 
> I'm afraid a comment to an old bugzilla would be just lost. Can you open a
> new bugzilla or an upstream ticket with the required information (see
> https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs and
> https://fedorahosted.org/sssd/wiki/Troubleshooting)

Thanks, disabling pam_krb5 using authconfig fixed the issue.

Regards
Ranjandas

Note You need to log in before you can comment on or make changes to this bug.