Description of problem:
With sssd-kcm installed, I can log in and according to klist the TGT is there. However I can't use it to connect to services including ssh on other machines and the FreeIPA web interface. These things work if I remove sssd-kcm and go back to the kernel keyring.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure F31 workstation using ipa-client-install (standard config, worked OK in Fedora 30).
2. Reboot, log in using realm credentials and get TGT.
3. Attempt to connect to Kerberised remote service.
Kerberos credentials not used. Password prompt appears.
Access granted through single sign-on.
Will provide logs upon request. Nothing incriminating seen in journalctl -u sssd-kcm.
this sounds a bit like https://bugzilla.redhat.com/show_bug.cgi?id=1757224. Can you give the test build from comment #55 at https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 a try? To download the packages in a single run you can use:
curl https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 | grep -o '"https://.*\.rpm"' | xargs -n 1 curl -O
what client are you using?
Also see Sumit's reply if you are using standard built Fedora clients like curl, or openssh.
Using sssd-kcm from 38214051 broke Kerberos login altogether. Login functionality restored with that build by removing sssd-kcm and restarting sssd.
The clients concerned are
connecting to a FreeIPA service and sshds running on Fedora 30 boxes.
(In reply to James Ettle from comment #3)
> Using sssd-kcm from 38214051 broke Kerberos login altogether. Login
> functionality restored with that build by removing sssd-kcm and restarting
> The clients concerned are
> connecting to a FreeIPA service and sshds running on Fedora 30 boxes.
It works for me with
sh$ rpm -q openssh-clients sssd-kcm
We need more information or detailed reproducer?
sh$ export KRB5_TRACE=/tmp/openssh_krb5_trace
sh$ ssh -vvv firstname.lastname@example.org
And manually run kinit to avoid issues with BZ1757224.
An please provide output of ssh and content of /tmp/openssh_krb5_trace
I upgraded into openssh-clients-8.1p1-1 and it still works for me.
OK, apologies -- looks like I was too hasty. This time I reinstalled the packages from 38214051 and completely rebooted rather than just restarting sssd. This time login works, and now Kerberised services are working.
Thanks for the help -- I think this can probably be closed as a dup of 1757224
*** This bug has been marked as a duplicate of bug 1757224 ***