1431858 – Wrong principal found with ad provider and long host name

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1431858 - Wrong principal found with ad provider and long host name

Summary: Wrong principal found with ad provider and long host name

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	shridhar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-13 21:24 UTC by Lukas Slebodnik
Modified:	2020-05-02 18:37 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-1.15.2-15.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 09:04:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4360	0	None	None	None	2020-05-02 18:37:50 UTC
Red Hat Product Errata	RHEA-2017:2294	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2017-08-01 12:39:55 UTC

Description Lukas Slebodnik 2017-03-13 21:24:46 UTC

Description of problem:
sssd tries to find most suitable principal from keytab. We need to use UPN with AD provider and it should be maximally 15 upper case letters from hostname

e.g.
hostname =  kvm-02-guest20kvm-02-guest20.sssd.com
UPN = KVM-02-GUEST20K$@SSSDAD.COM

Version-Release number of selected component (if applicable):
sh$ rpm -q sssd
sssd-1.14.0-43.el7_3.11.x86_64

How reproducible:
Deterministic

Steps to Reproduce:
1. set hostname longer then 15 characters
2. join sssd to ad domain
3. start sssd
4. try to resolve some users

Actual results:
Users are not resolved

Expected results:
Users are resolved.

Additional info:
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Will look for kvm-02-guest20kvm-02-guest20.sssdad.com in default keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal kvm-02-guest20kvm-02-guest20.sssdad.com in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching kvm-02-guest20kvm-02-guest20.sssdad.com found in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching KVM-02-GUEST20KVM-02-GUEST20$@SSSDAD.COM found in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/kvm-02-guest20kvm-02-guest20.sssdad.com in keytab.
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000): Principal matched to the sample (host/kvm-02-guest20kvm-02-guest20.sssdad.com).
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected primary: host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/kvm-02-guest20kvm-02-guest20.sssdad.com
(Mon Mar 13 17:19:41 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSDAD.COM

sh# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 KVM-02-GUEST20K$@SSSDAD.COM
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:57 host/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 host/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/KVM-02-GUEST20K
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com
   2 03/13/2017 17:18:58 RestrictedKrbHost/kvm-02-guest20kvm-02-guest20.sssdad.com

Comment 2 Lukas Slebodnik 2017-03-13 21:27:59 UTC

Workaround is to set ldap_sasl_authid to right UPN

BTW. It was not a problem on rhel7.2 because adcli created principal "HOST/" instead of "host/" and therefore sssd did not match it and fallback to pattern "*$" 

(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to SSSDAD.COM
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Will look for ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in default keytab
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching IBM-X3500M4-01IBM-X3500M4-01$@SSSDAD.COM found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x0400): No principal matching host/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com found in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [find_principal_in_keytab] (0x4000): Trying to find principal *$@SSSDAD.COM in keytab.
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [match_principal] (0x1000): Principal matched to the sample (*$@SSSDAD.COM).
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected primary: IBM-X3500M4-01I$
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSDAD.COM
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to IBM-X3500M4-01I$
(Mon Mar 13 16:52:02 2017) [sssd[be[sssdad.com]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSDAD.COM


sh# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 IBM-X3500M4-01I$@SSSDAD.COM
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 HOST/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/IBM-X3500M4-01I
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com
   3 03/13/2017 16:51:22 RestrictedKrbHost/ibm-x3500m4-01ibm-x3500m4-01.sssdad.com

Comment 3 Lukas Slebodnik 2017-03-14 09:30:45 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3329

Comment 4 Lukas Slebodnik 2017-04-12 21:21:04 UTC

master:
* c6f1bc32774a7cf2f8678499dfbced420be3a3a1

sssd-1-14:
* fee7386e3af5e55eb3c66d8cf3533075b977a734

sssd-1-13:
* 56ca9ad3d7ec7da2e82b51ffc55f6d1367d14f34

Comment 6 shridhar 2017-05-26 10:11:48 UTC

verified with:

r7-permanent ~]# rpm -q sssd
sssd-1.15.2-33.el7.x86_64

 ~]# cat /etc/sssd/sssd.conf 

[sssd]
domains = sssd16.qe
config_file_version = 2
services = nss, pam

[domain/sssd16.qe]
ad_domain = sssd16.qe
krb5_realm = SSSD16.QE
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
#ldap_sasl_authid = SHR-R7-PERMANEN$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 9


-r7-permanent ~]# id fu1
uid=616401111(fu1) gid=616400513(domain users) groups=616400513(domain users),616401112(fg1),616401113(fg2)

from domain logs:

(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Will look for shr-r7-permanent.sssd16.qe in default keytab
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal shr-r7-permanent.sssd16.qe in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x0400): No principal matching shr-r7-permanent.sssd16.qe found in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [find_principal_in_keytab] (0x4000): Trying to find principal SHR-R7-PERMANEN$@SSSD16.QE in keytab.
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [match_principal] (0x1000): Principal matched to the sample (SHR-R7-PERMANEN$@SSSD16.QE).
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected primary: SHR-R7-PERMANEN$
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [select_principal_from_keytab] (0x0200): Selected realm: SSSD16.QE
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to SHR-R7-PERMANEN$
(Fri May 26 06:07:59 2017) [sssd[be[sssd16.qe]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to SSSD16.QE


~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 SHR-R7-PERMANEN$@SSSD16.QE
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:39 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 host/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/SHR-R7-PERMANEN
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe
   4 05/26/2017 05:17:40 RestrictedKrbHost/shr-r7-permanent.sssd16.qe

Comment 7 errata-xmlrpc 2017-08-01 09:04:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294

Note You need to log in before you can comment on or make changes to this bug.