Hide Forgot
Created attachment 1511679 [details] SSSD Domain log. Description of problem: Krb-provider test failed due to bug 803842. This bug was automated long back. I am re-opening this for rhel8. SSSD fails to bind with ldap server, when minssf is set. Log file shows, Search result: Server is unwilling to perform(53), Minimum SSF not met Refer https://bugzilla.redhat.com/show_bug.cgi?id=803842 for more details. Version-Release number of selected component (if applicable): sssd-2.0.0-23.el8.x86_64 How reproducible: Always. Steps to Reproduce: 1. Setup a test environment with 389-ds ldap server and krb server. 2. Configure sssd.conf in client as given below: [sssd] config_file_version = 2 sbus_timeout = 30 services = nss, pam domains = LDAP-KRB5 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP-KRB5] debug_level = 0xFFF0 id_provider = ldap ldap_uri = ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = ipaqavmd.idmqe.lab.eng.bos.redhat.com krb5_realm = EXAMPLE.COM ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com 3. Update minssf value in ldap server. # ldapmodify -xv -h ipaqavmd.idmqe.lab.eng.bos.redhat.com -D "cn=Manager,dc=example,dc=com" -w Secret123 -f minssf.ldif ldap_initialize( ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com ) replace nsslapd-minssf: 56 modifying entry "cn=config" modify complete 4. Ensure /etc/krb5.keytab file in client is updated with valid data. # klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 5. Clear the cache and restart SSSD service. 6. Run user lookup. # id puser1 id: ‘puser1’: no such user Actual results: User lookup fails. Expected results: User lookup should work. Additional info: Domain log file attached.
Does kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount return user objects?
(In reply to Sumit Bose from comment #1) > Does > > kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM > ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b > 'dc=example,dc=com' objectclass=posixAccount > > return user objects? Initially kinit returned "Clock skew too great" error. # kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM kinit: Clock skew too great in KDC reply while getting initial credentials # ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)) I think the issue is clock skew. I fixed it in both server and client.. now everything works fine. ---------------------------------------------------------- # kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM # ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount SASL/GSSAPI authentication started SASL username: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: objectclass=posixAccount # requesting: ALL # # host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com, People, example.com dn: uid=host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com,ou=People,dc=exam ple,dc=com uidNumber: 9003 gidNumber: 9003 objectClass: top objectClass: posixAccount cn: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com uid: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com homeDirectory: /export/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com loginShell: /bin/bash . . . # # id puser1 uid=1001(puser1) gid=1001(Group1) groups=1001(Group1) I will fix the test code and verify it again. If everything works fine then i will close this bug. Thanks Sumit.
Fixed the test code and got a successful run. The cause of failure was clock skew. See beaker job: https://beaker.engineering.redhat.com/jobs/3207422