Bug 1656426 - Unable to bind to LDAP when minssf is set in server
Summary: Unable to bind to LDAP when minssf is set in server
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-05 13:50 UTC by Amith
Modified: 2018-12-05 18:28 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-05 18:28:41 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
SSSD Domain log. (420.11 KB, text/plain)
2018-12-05 13:50 UTC, Amith
no flags Details

Description Amith 2018-12-05 13:50:28 UTC
Created attachment 1511679 [details]
SSSD Domain log.

Description of problem:
Krb-provider test failed due to bug 803842. This bug was automated long back. I am re-opening this for rhel8. SSSD fails to bind with ldap server, when minssf is set.

Log file shows, Search result: Server is unwilling to perform(53), Minimum SSF not met

Refer https://bugzilla.redhat.com/show_bug.cgi?id=803842 for more details.

Version-Release number of selected component (if applicable):
sssd-2.0.0-23.el8.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Setup a test environment with 389-ds ldap server and krb server.

2. Configure sssd.conf in client as given below:

[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam
domains = LDAP-KRB5

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP-KRB5]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_server = ipaqavmd.idmqe.lab.eng.bos.redhat.com
krb5_realm = EXAMPLE.COM
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com

3. Update minssf value in ldap server.

# ldapmodify -xv -h ipaqavmd.idmqe.lab.eng.bos.redhat.com -D "cn=Manager,dc=example,dc=com" -w Secret123 -f minssf.ldif
ldap_initialize( ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com )
replace nsslapd-minssf:
	56
modifying entry "cn=config"
modify complete

4. Ensure /etc/krb5.keytab file in client is updated with valid data.

# klist -k /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   3 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
   4 host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM

5. Clear the cache and restart SSSD service.

6. Run user lookup.
# id puser1
id: ‘puser1’: no such user

Actual results:
User lookup fails. 

Expected results:
User lookup should work.

Additional info:
Domain log file attached.

Comment 1 Sumit Bose 2018-12-05 14:01:48 UTC
Does

    kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
    ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount

return user objects?

Comment 2 Amith 2018-12-05 14:28:50 UTC
(In reply to Sumit Bose from comment #1)
> Does
> 
>     kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
>     ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b
> 'dc=example,dc=com' objectclass=posixAccount
> 
> return user objects?

Initially kinit returned "Clock skew too great" error. 

# kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM 
kinit: Clock skew too great in KDC reply while getting initial credentials

# ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))


I think the issue is clock skew. I fixed it in both server and client.. now everything works fine.
----------------------------------------------------------

# kinit -k host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM

# ldapsearch -H ldap://ipaqavmd.idmqe.lab.eng.bos.redhat.com -Y GSSAPI -b 'dc=example,dc=com' objectclass=posixAccount
SASL/GSSAPI authentication started
SASL username: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: objectclass=posixAccount
# requesting: ALL
#

# host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com, People, example.com
dn: uid=host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com,ou=People,dc=exam
 ple,dc=com
uidNumber: 9003
gidNumber: 9003
objectClass: top
objectClass: posixAccount
cn: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
uid: host/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
homeDirectory: /export/auto-hv-01-guest01.idmqe.lab.eng.bos.redhat.com
loginShell: /bin/bash
.
.
.


# 
# id puser1
uid=1001(puser1) gid=1001(Group1) groups=1001(Group1)

I will fix the test code and verify it again. If everything works fine then i will close this bug.
Thanks Sumit.

Comment 3 Amith 2018-12-05 18:23:07 UTC
Fixed the test code and got a successful run. The cause of failure was clock skew. See beaker job: https://beaker.engineering.redhat.com/jobs/3207422


Note You need to log in before you can comment on or make changes to this bug.