RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1685581 - Extend cached_auth_timeout to cover subdomains / trusts
Summary: Extend cached_auth_timeout to cover subdomains / trusts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1695581
TreeView+ depends on / blocked
 
Reported: 2019-03-05 14:46 UTC by James Hartsock
Modified: 2020-05-02 19:06 UTC (History)
10 users (show)

Fixed In Version: sssd-1.16.4-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1695581 (view as bug list)
Environment:
Last Closed: 2019-08-06 13:02:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4933 0 None closed cached_auth_timeout not honored for AD users authenticated via trust with FreeIPA 2021-02-02 12:23:01 UTC
Red Hat Product Errata RHSA-2019:2177 0 None None None 2019-08-06 13:03:05 UTC

Description James Hartsock 2019-03-05 14:46:16 UTC 
Description of problem:
cached_auth_timeout is not inheritable by trusted domain (sub-domain)

Version-Release number of selected component (if applicable):
sssd-1.16.2-13.el7_6.5

How reproducible:
VERY

Steps to Reproduce:
1. Enable cached_auth_timeout for primary IPA domain, and set pam_verbosity=2.

   [domain/ipa.jjhartsock.com]
   cached_auth_timeout = 120
   ...
   [pam]
   pam_verbosity=2 in 

2. Stop, clear cache, start sssd

   # systemctl stop sssd
   # sss_cache -E 
   # \rm /var/log/sssd/* /var/lib/sss/db/cache_ipa.jjhartsock.com.ldb
   # systemctl start sssd

3. Login as IDM & AD user, validate get "Authenticated with cached credentials." for the length of cached_auth_timeout


Actual results:
Active Directory subdomain does NOT respect the cached_auth_timeout
  $ su - aduser1
  Password: 
  Last login: Fri Mar  1 12:31:25 CST 2019 on pts/1

  $ su - aduser1
  Password: 
  Last login: Fri Mar  1 12:41:34 CST 2019 on pts/1

  $ su - aduser1
  Password: 
  Last login: Fri Mar  1 12:41:38 CST 2019 on pts/1



Expected results:
Can see with pam_verbosity=2 in [pam] section of sssd, cached
  $ su - idmuser1
  Password: 
  Last login: Fri Mar  1 12:31:44 CST 2019 on pts/1

  $ su - idmuser1
  Password: 
  Authenticated with cached credentials.
  Last login: Fri Mar  1 12:32:41 CST 2019 on pts/1 <----- Time of first login that populated cache

Then manually logging out and back in, can see that credentials are cached for IDM user for the two minutes
  $ su - idmuser1
  Password: 
  Authenticated with cached credentials.
  Last login: Fri Mar  1 12:34:27 CST 2019 on pts/1

  $ su - idmuser1 <----------------------------------------- Note did NOT use cached credentials
  Password: 
  Last login: Fri Mar  1 12:34:33 CST 2019 on pts/1

  $ su - idmuser1
  Password: 
  Authenticated with cached credentials.
  Last login: Fri Mar  1 12:34:40 CST 2019 on pts/1 <-------- time of login that did NOT use cache (120 seconds matches setting)



Additional info:

http://post-office.corp.redhat.com/archives/idm-tech/2019-March/msg00007.html

Jakub Hrozek <jhrozek redhat com> 

I can confirm that this is a bug. The way options are read for joined
domains versus subdomains is a bit of a mess and this option is read for
the joined domain only.

Fixing this particular case would probably be doable (I haven't tried,
I'm judging just by looking at the existing code) as long as we care about
this option only, but long term we need a way to flag options that are
settable or inheritable by a trusted domain and implement a more generic
and cleaner way of setting up the options.
Comment 3 Jakub Hrozek 2019-03-05 14:55:29 UTC 
FYI, the option is only initialized from confdb_get_domain_internal() which is only called for domains from the [sssd] section's list.

So we can do either of:
 1) when logging a subdomain user, look at the parent domain's setting (inherit implicitly)
 2) make it possible to inherit the option explicitly with subdomain_inherit like we do with e.g. ignore_group_members
 3) extend the trusted domain configuration to read the option from the subdomain's configuration
 4) a combination of 2 and 3
Comment 8 Jakub Hrozek 2019-03-07 21:13:09 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3960
Comment 9 Jakub Hrozek 2019-03-07 21:25:40 UTC 
PR: https://pagure.io/SSSD/sssd/issue/3960
Comment 10 Jakub Hrozek 2019-03-07 21:26:04 UTC 
(In reply to Jakub Hrozek from comment #9)
> PR: https://pagure.io/SSSD/sssd/issue/3960

Sorry, this is the correct PR link: https://github.com/SSSD/sssd/pull/772
Comment 13 Jakub Hrozek 2019-03-26 21:14:24 UTC 
* master: fedfc4f
* sssd-1-16: fedfc4f
Comment 21 Kaleem 2019-05-16 02:58:45 UTC 
Jakub,

As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that pre-auth in PAM responder issue will be also handled in this bz but i see the PR still open and this bz is ON_QA
Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz fix?
We have to verify this bz by 21st of May
Comment 22 Jakub Hrozek 2019-05-16 07:38:36 UTC 
(In reply to Kaleem from comment #21)
> Jakub,
> 
> As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that
> pre-auth in PAM responder issue will be also handled in this bz but i see
> the PR still open and this bz is ON_QA

OK, let me switch the bug to ASSIGNED

> Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz
> fix?

There were some issues raised during the code review which I still need to address, but the PR works, so I don't anticipate it would take too much time.

> We have to verify this bz by 21st of May

I'll try to respin the PR today so it can be merged by the end of the week.
Comment 23 Jakub Hrozek 2019-05-20 07:04:01 UTC 
Related commits that also fix PREAUTH caching:
* master: c911562
* sssd-1-16: 0a637ff
Comment 25 Kaleem 2019-05-20 14:52:09 UTC 
Verified.

rpm versions:
==============

[root@master ~]# rpm -q ipa-server sssd
ipa-server-4.6.5-8.el7.x86_64
sssd-1.16.4-16.el7.x86_64
[root@master ~]#


(1) cached_auth_timeout is honored by trusted domain as well

cached_auth_timeout is inheritable by ipa domain 

[root@master ~]# ssh user1.test
Password: 
Last login: Mon May 20 09:58:43 2019
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh user1.test
Password: 
Authenticated with cached credentials.
Last login: Mon May 20 10:31:46 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh user1.test
Password: 
Last login: Mon May 20 10:31:51 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh user1.test
Password: 
Authenticated with cached credentials.
Last login: Mon May 20 10:35:23 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# 

cached_auth_timeout is inheritable by trusted domain now as well

[root@master ~]# ssh aduser1@master.sshtestks.test
Password: 
Last login: Mon May 20 10:23:45 2019 from localhost
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh aduser1@master.sshtestks.test
Password: 
Authenticated with cached credentials.
Last login: Mon May 20 10:37:13 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh aduser1@master.sshtestks.test
Password: 
Last login: Mon May 20 10:37:18 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# ssh aduser1@master.sshtestks.test
Password: 
Authenticated with cached credentials.
Last login: Mon May 20 10:39:25 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# 

(2)no log for pre-auth in case of cached_auth authentication

[root@master ~]# ssh aduser1@master.sshtestks.test
Password: 
Authenticated with cached credentials.
Last login: Mon May 20 10:47:43 2019 from master.sshtestks.test
Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/
-sh-4.2$ 
-sh-4.2$ logout
Connection to master.sshtestks.test closed.
[root@master ~]# 


May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC
May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): closing down fd 13
May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC
May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): closing down fd 13
May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: ISSUE: authtime 1558363641, etypes {rep=18 tkt=18 ses=18}, aduser1 for host/master.sshtestks.test
May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): closing down fd 13
^C
[root@master ~]#
Comment 30 errata-xmlrpc 2019-08-06 13:02:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2177
Comment 31 James Hartsock 2019-08-08 19:15:10 UTC 
Bugzilla not allowing solution links, so placing in comment.
https://access.redhat.com/solutions/4342151
Note You need to log in before you can comment on or make changes to this bug.