Bug 1762881 - sssd-kcm breaks Kerberos authentication with remote services
Summary: sssd-kcm breaks Kerberos authentication with remote services
Keywords:
Status: CLOSED DUPLICATE of bug 1757224
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Zidek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-17 18:02 UTC by James
Modified: 2019-10-17 20:17 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-10-17 20:17:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description James 2019-10-17 18:02:55 UTC 
Description of problem:
With sssd-kcm installed, I can log in and according to klist the TGT is there. However I can't use it to connect to services including ssh on other machines and the FreeIPA web interface. These things work if I remove sssd-kcm and go back to the kernel keyring.

Version-Release number of selected component (if applicable):
sssd-2.2.2-1.fc31.x86_64
freeipa-client-4.8.1-3.fc31.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Configure F31 workstation using ipa-client-install (standard config, worked OK in Fedora 30).
2. Reboot, log in using realm credentials and get TGT.
3. Attempt to connect to Kerberised remote service.

Actual results:
Kerberos credentials not used. Password prompt appears.

Expected results:
Access granted through single sign-on.

Additional info:
Will provide logs upon request. Nothing incriminating seen in journalctl -u sssd-kcm.
Comment 1 Sumit Bose 2019-10-17 18:20:30 UTC 
Hi,

this sounds a bit like https://bugzilla.redhat.com/show_bug.cgi?id=1757224. Can you give the test build from comment #55 at https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 a try? To download the packages in a single run you can use:

    curl https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 | grep -o '"https://.*\.rpm"' | xargs -n 1 curl -O

HTH

bye,
Sumit
Comment 2 Simo Sorce 2019-10-17 18:26:02 UTC 
James,
what client are you using?

Also see Sumit's reply if you are using standard built Fedora clients like curl, or openssh.
Comment 3 James 2019-10-17 18:30:48 UTC 
Using sssd-kcm from 38214051 broke Kerberos login altogether. Login functionality restored with that build by removing sssd-kcm and restarting sssd.

The clients concerned are

openssh-8.1p1-1.fc31.x86_64
firefox-69.0.3-1.fc31.x86_64

connecting to a FreeIPA service and sshds running on Fedora 30 boxes.
Comment 4 Lukas Slebodnik 2019-10-17 19:09:39 UTC 
(In reply to James Ettle from comment #3)
> Using sssd-kcm from 38214051 broke Kerberos login altogether. Login
> functionality restored with that build by removing sssd-kcm and restarting
> sssd.
> 
> The clients concerned are
> 
> openssh-8.1p1-1.fc31.x86_64
> firefox-69.0.3-1.fc31.x86_64
> 
> connecting to a FreeIPA service and sshds running on Fedora 30 boxes.

It works for me with 
sh$ rpm -q openssh-clients sssd-kcm
openssh-clients-8.0p1-8.fc31.1.x86_64
sssd-kcm-2.2.2-1.fc32.x86_64

We need more information or detailed reproducer?
sh$ export KRB5_TRACE=/tmp/openssh_krb5_trace
sh$ ssh -vvv user

And manually run kinit to avoid issues with BZ1757224.
An please provide output of ssh and content of /tmp/openssh_krb5_trace
Comment 5 Lukas Slebodnik 2019-10-17 19:12:34 UTC 
I upgraded into openssh-clients-8.1p1-1 and it still works for me.
Comment 6 James 2019-10-17 19:22:06 UTC 
OK, apologies -- looks like I was too hasty. This time I reinstalled the packages from 38214051 and completely rebooted rather than just restarting sssd. This time login works, and now Kerberised services are working.

Thanks for the help -- I think this can probably be closed as a dup of 1757224
Comment 7 Simo Sorce 2019-10-17 20:17:22 UTC 

*** This bug has been marked as a duplicate of bug 1757224 ***
Note You need to log in before you can comment on or make changes to this bug.