Description of problem: cached_auth_timeout is not inheritable by trusted domain (sub-domain) Version-Release number of selected component (if applicable): sssd-1.16.2-13.el7_6.5 How reproducible: VERY Steps to Reproduce: 1. Enable cached_auth_timeout for primary IPA domain, and set pam_verbosity=2. [domain/ipa.jjhartsock.com] cached_auth_timeout = 120 ... [pam] pam_verbosity=2 in 2. Stop, clear cache, start sssd # systemctl stop sssd # sss_cache -E # \rm /var/log/sssd/* /var/lib/sss/db/cache_ipa.jjhartsock.com.ldb # systemctl start sssd 3. Login as IDM & AD user, validate get "Authenticated with cached credentials." for the length of cached_auth_timeout Actual results: Active Directory subdomain does NOT respect the cached_auth_timeout $ su - aduser1 Password: Last login: Fri Mar 1 12:31:25 CST 2019 on pts/1 $ su - aduser1 Password: Last login: Fri Mar 1 12:41:34 CST 2019 on pts/1 $ su - aduser1 Password: Last login: Fri Mar 1 12:41:38 CST 2019 on pts/1 Expected results: Can see with pam_verbosity=2 in [pam] section of sssd, cached $ su - idmuser1 Password: Last login: Fri Mar 1 12:31:44 CST 2019 on pts/1 $ su - idmuser1 Password: Authenticated with cached credentials. Last login: Fri Mar 1 12:32:41 CST 2019 on pts/1 <----- Time of first login that populated cache Then manually logging out and back in, can see that credentials are cached for IDM user for the two minutes $ su - idmuser1 Password: Authenticated with cached credentials. Last login: Fri Mar 1 12:34:27 CST 2019 on pts/1 $ su - idmuser1 <----------------------------------------- Note did NOT use cached credentials Password: Last login: Fri Mar 1 12:34:33 CST 2019 on pts/1 $ su - idmuser1 Password: Authenticated with cached credentials. Last login: Fri Mar 1 12:34:40 CST 2019 on pts/1 <-------- time of login that did NOT use cache (120 seconds matches setting) Additional info: http://post-office.corp.redhat.com/archives/idm-tech/2019-March/msg00007.html Jakub Hrozek <jhrozek redhat com> I can confirm that this is a bug. The way options are read for joined domains versus subdomains is a bit of a mess and this option is read for the joined domain only. Fixing this particular case would probably be doable (I haven't tried, I'm judging just by looking at the existing code) as long as we care about this option only, but long term we need a way to flag options that are settable or inheritable by a trusted domain and implement a more generic and cleaner way of setting up the options.
FYI, the option is only initialized from confdb_get_domain_internal() which is only called for domains from the [sssd] section's list. So we can do either of: 1) when logging a subdomain user, look at the parent domain's setting (inherit implicitly) 2) make it possible to inherit the option explicitly with subdomain_inherit like we do with e.g. ignore_group_members 3) extend the trusted domain configuration to read the option from the subdomain's configuration 4) a combination of 2 and 3
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3960
PR: https://pagure.io/SSSD/sssd/issue/3960
(In reply to Jakub Hrozek from comment #9) > PR: https://pagure.io/SSSD/sssd/issue/3960 Sorry, this is the correct PR link: https://github.com/SSSD/sssd/pull/772
* master: fedfc4f * sssd-1-16: fedfc4f
Jakub, As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that pre-auth in PAM responder issue will be also handled in this bz but i see the PR still open and this bz is ON_QA Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz fix? We have to verify this bz by 21st of May
(In reply to Kaleem from comment #21) > Jakub, > > As per https://bugzilla.redhat.com/show_bug.cgi?id=1685581#c19 you said that > pre-auth in PAM responder issue will be also handled in this bz but i see > the PR still open and this bz is ON_QA OK, let me switch the bug to ASSIGNED > Are we going to have https://github.com/SSSD/sssd/pull/804 part of this bz > fix? There were some issues raised during the code review which I still need to address, but the PR works, so I don't anticipate it would take too much time. > We have to verify this bz by 21st of May I'll try to respin the PR today so it can be merged by the end of the week.
Related commits that also fix PREAUTH caching: * master: c911562 * sssd-1-16: 0a637ff
Verified. rpm versions: ============== [root@master ~]# rpm -q ipa-server sssd ipa-server-4.6.5-8.el7.x86_64 sssd-1.16.4-16.el7.x86_64 [root@master ~]# (1) cached_auth_timeout is honored by trusted domain as well cached_auth_timeout is inheritable by ipa domain [root@master ~]# ssh user1.test Password: Last login: Mon May 20 09:58:43 2019 Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:31:46 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Last login: Mon May 20 10:31:51 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh user1.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:35:23 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# cached_auth_timeout is inheritable by trusted domain now as well [root@master ~]# ssh aduser1@master.sshtestks.test Password: Last login: Mon May 20 10:23:45 2019 from localhost Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:37:13 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Last login: Mon May 20 10:37:18 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:39:25 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# (2)no log for pre-auth in case of cached_auth authentication [root@master ~]# ssh aduser1@master.sshtestks.test Password: Authenticated with cached credentials. Last login: Mon May 20 10:47:43 2019 from master.sshtestks.test Instance used by: https://platform-stg-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-rhel-7.7-candidate-runtest-getcert-pytest/19/ -sh-4.2$ -sh-4.2$ logout Connection to master.sshtestks.test closed. [root@master ~]# May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC May 20 10:47:17 master.sshtestks.test krb5kdc[13282](info): closing down fd 13 May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: REFERRAL: aduser1\@IPAAD2016.TEST for krbtgt/SSHTESTKS.TEST, Realm not local to KDC May 20 10:47:21 master.sshtestks.test krb5kdc[13282](info): closing down fd 13 May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 172.16.169.59: ISSUE: authtime 1558363641, etypes {rep=18 tkt=18 ses=18}, aduser1 for host/master.sshtestks.test May 20 10:47:21 master.sshtestks.test krb5kdc[13283](info): closing down fd 13 ^C [root@master ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177
Bugzilla not allowing solution links, so placing in comment. https://access.redhat.com/solutions/4342151