RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1807094 - _srv_ entry should be processed irrespective of its position in the krb5_server list
Summary: _srv_ entry should be processed irrespective of its position in the krb5_serv...
Keywords:
Status: CLOSED DUPLICATE of bug 1859315
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Paweł Poławski
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
: 1807076 1807086 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-25 15:22 UTC by Amith
Modified: 2021-08-26 16:19 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-25 07:27:07 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)

Description Amith 2020-02-25 15:22:58 UTC 
Description of problem:
This issue is copied from 7.7 bug 1807065

In a scenario wherein following conditions are applied to krb5_server list ie,

first)  _srv_ entry is used in the list for krb5_server 
second) krb5kdc service is down in other SERVER's in the list 
third)  All servers in the list are resolvable

then it appears that _srv_ should be the first entry in the list otherwise failover doesn't work and user authentication fails. The following combinations fail to work:

krb5_server = Server-valid.example.com,Server2-valid.example.com,_srv_
krb5_server = Server-valid.example.com,_srv_
krb5_server = 10.16.200.11,_srv_

Lets assume that a server invalid.example.com is unresolvable, then following combination also fails:
krb5_server = _srv_,invalid.example.com
krb5_server = invalid.example,com,10.16.200.11,_srv_

However the below combinations work:

krb5_server = _srv_,Server-valid.example.com,Server2-valid.example.com
krb5_server = _srv_
krb5_server = _srv_,10.16.200.11
krb5_server = _srv_,10.16.200.11,Server-valid.example.com

Version-Release number of selected component (if applicable):
sssd-2.2.3-16.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup a DNS server with valid KRB Server name and SRV records. 

A forward zone example would be:
-------------------------------
$TTL 604800
@       IN      SOA     Server1-valid.example.com. root.Server1-valid.example.com. (
                        2010050702 ; serial
                        604800 ; refresh
                        86400 ; retry
                        2419200 ; expire
                        10800 ; negative caching time
                        )
example.com.         IN NS  Server1-valid.example.com.
_ldap._tcp      IN SRV 1 0 389 Server1-valid
_kerberos._udp  IN SRV 0 0 88 Server1-valid
Server1-valid	IN A   10.19.34.83
Server2-valid   IN A   10.16.216.102
Server-valid    IN A   10.16.216.110
--------------------------------

2. Setup SSSD domain section with any one of the above failing krb5_server combination:

[domain/LDAP]
debug_level=0xFFF0
id_provider = ldap
ldap_uri = ldap://Server1-valid.example.com
ldap_search_base = dc=example,dc=com
auth_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = Server-valid.example.com,_srv_
dns_discovery_domain = example.com

3. Ensure that Server-valid.example.com is resolvable and krb service is down, In this case, SSSD will be forced to use _srv_ to identify the working server.

4. Restart SSSD service and execute a user login. You will see that user auth fails. 

Actual results:
User auth fails whenever _srv_ is not the first entry in the krb_server list.

Expected results:
Failover should work and _srv_ should be processed irrespective of its position in the krb5_server list.

Additional info:
Comment 1 Pavel Březina 2020-03-05 16:24:22 UTC 
*** Bug 1807086 has been marked as a duplicate of this bug. ***
Comment 3 Alexey Tikhonov 2021-03-08 14:28:50 UTC 
*** Bug 1807076 has been marked as a duplicate of this bug. ***
Comment 7 RHEL Program Management 2021-08-25 07:27:07 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 8 Alexey Tikhonov 2021-08-26 16:19:22 UTC 
Pawel says the root cause is the same as in bz 1859315

*** This bug has been marked as a duplicate of bug 1859315 ***
Note You need to log in before you can comment on or make changes to this bug.