1893698 – [RFE] sudo kerberos authentication

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1893698 - [RFE] sudo kerberos authentication

Summary: [RFE] sudo kerberos authentication

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Březina
QA Contact:	shridhar
Docs Contact:	Josip Vilicic
URL:
Whiteboard:	sync-to-jira review
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-02 11:53 UTC by Alexey Tikhonov
Modified:	2021-05-18 15:04 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sssd-2.4.0-6.el8
Doc Type:	Enhancement
Doc Text:	.New GSSAPI PAM module for passwordless `sudo` authentication with SSSD With the new `pam_sss_gss.so` Pluggable Authentication Module (PAM), you can configure the System Security Services Daemon (SSSD) to authenticate users to PAM-aware services with the Generic Security Service Application Programming Interface (GSSAPI). For example, you can use this module for passwordless `sudo` authentication with a Kerberos ticket. For additional security in an IdM environment, you can configure SSSD to grant access only to users with specific authentication indicators in their tickets, such as users that have authenticated with a smart card or a one-time password. For additional information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/granting-sudo-access-to-an-idm-user-on-an-idm-client_configuring-and-managing-idm[Granting sudo access to an IdM user on an IdM client].
Clone Of:
Environment:
Last Closed:	2021-05-18 15:03:59 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexey Tikhonov 2020-11-02 11:53:11 UTC

Goal: Make sudo accept an existing kerberos ticket as authentication. This should be off by default with an admin opt-in to enable this.

In this scenario there is a design catch: with a ticket, sudo would effectively behave like NOPASSWD, i. e. every process in the session can run commands as root without further interactive authentication. This is rather unavoidable in this scenario, but this is why it should be explicitly enabled by the admin and not be allowed by default.

Implementation: We most probably don't want to modify sudo itself, but we can have SSSD PAM module that checks the opt-in enablement and user tickets, and provides sufficient auth to sudo.

Comment 1 Alexey Tikhonov 2020-11-02 11:56:36 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/5367

Comment 8 Sumit Bose 2020-12-16 14:51:40 UTC

Upstream master:
        d09aa17 - pam: add pam_sss_gss module for gssapi authentication
        fffe316 - pam: add pam_gssapi_check_upn option
        d63172f - pam: add pam_gssapi_services option
        dcc4201 - pam: fix typo in debug message
        a3e2677 - cache_req: add helper to call user by upn search
        6715b31 - domain: store hostname and keytab path
        3b0e48c - packet: add sss_packet_set_body
        45f2eb5 - sss_format.h: include config.h

Comment 9 Sumit Bose 2021-01-06 15:32:19 UTC

Hi,

to test this feature I would recommend to use an AD or IPA client and add

    auth sufficient pam_sss_gss.so debug

('debug' is not needed but useful for a start) as first line of the 'auth' block in /etc/pam.d/sudo and /etc/pam.d/sudo-i (I guess authselect will have an option if future for this). And add 'KRB5CCNAME' to 'env_keep' in /etc/sudoers. Finally add 

    pam_gssapi_services = sudo, sudo-i

to either the [pam] or the [domain/...] section in sssd.conf and restart SSSD. See man pam_sss_gss for details.

Now log in as AD or IPA user and call

    sudo id

Which should display the 'id' output for the 'root' user. If you now call

    sudo -k
    kdestroy -A
    sudo id

'sudo' should now ask for a password. With a new Kerberos ticket

    sudo -k
    kdestroy -A
    kinit username
    sudo id

should show the 'id' output again without asking for a password.

As a negative test you can try to use the Kerberos ticket of a different user:

    sudo -k
    kdestroy -A
    kinit other_username
    sudo id

Here 'sudo' should ask for a password again since the ticket of a different user is not accepted by default. If you now add

    pam_gssapi_check_upn = False

to the [pam] section in sssd.conf and restart SSSD the same sequence


    sudo -k
    kdestroy -A
    kinit other_username
    sudo id

should show the 'id' output without asking for a password since now all valid Kerberos tickets are accepted.

This should cover the basic functionality.

bye,
Sumit

Comment 10 shridhar 2021-01-08 15:30:11 UTC

Tested with : sssd-2.4.0-5.el8.x86_64 

RHEL joined to the AD,

[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# egrep amy /etc/sudoers
amy-admin.qe	ALL=(ALL)   ALL

[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# egrep KRB5CCNAME /etc/sudoers
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME"
[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       sufficient   pam_sss_gss.so debug
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# cat /etc/pam.d/sudo-i
#%PAM-1.0
auth       sufficient   pam_sss_gss.so debug
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo

[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = CI-VM-10-0-139-$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
pam_gssapi_services = sudo, sudo-i


[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# ssh -l amy-admin.qe localhost
amy-admin.qe@localhost's password: 
*** 1minutetip system created by sgadekar - Fri Jan  8 08:56:21 EST 2021 ***
Last login: Fri Jan  8 09:07:26 2021 from ::1
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -l
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: Amy-admin.qe
pam_sss_gss: User domain: ad.baseos.qe
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1366201107 to 0
pam_sss_gss: Authentication successful
Matching Defaults entries for amy-admin.qe on ci-vm-10-0-139-42:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY KRB5CCNAME", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User amy-admin.qe may run the following commands on ci-vm-10-0-139-42:
    (ALL) ALL
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -k
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kdestroy -A
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: Amy-admin.qe
pam_sss_gss: User domain: ad.baseos.qe
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Unable to read credentials from [KCM:] [maj:0xd0000, min:0x96c73ac3]
pam_sss_gss: GSSAPI: Unspecified GSS failure.  Minor code may provide more information
pam_sss_gss: GSSAPI: No credentials cache found
pam_sss_gss: Switching euid from 1366201107 to 0
pam_sss_gss: System error [5]: Input/output error
[sudo] password for amy-admin.qe: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -k
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kdestroy -A
 
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ klist
Ticket cache: KCM:1366201107
Default principal: Amy-admin.QE

Valid starting       Expires              Service principal
01/08/2021 09:11:48  01/08/2021 19:11:48  krbtgt/AD.BASEOS.QE.QE
	renew until 01/15/2021 09:11:44
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: Amy-admin.qe
pam_sss_gss: User domain: ad.baseos.qe
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1366201107 to 0
pam_sss_gss: Authentication successful
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[





=======================================
sudo With different user's keberos ticket

amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -k
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kdestroy -A
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ 
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kinit Amy-posix.QE
Password for Amy-posix.QE: 
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: Amy-admin.qe
pam_sss_gss: User domain: ad.baseos.qe
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Communication error [3, 13]: Error in service module; Permission denied
pam_sss_gss: Switching euid from 1366201107 to 0
pam_sss_gss: System error [13]: Permission denied
[sudo] password for amy-admin.qe: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ logout
Connection to localhost closed.
[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# vim /etc/sssd/sssd.conf 
[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# ssh -l amy-admin.qe localhost
amy-admin.qe@localhost's password: 
*** 1minutetip system created by sgadekar - Fri Jan  8 08:56:21 EST 2021 ***
Last login: Fri Jan  8 09:08:53 2021 from ::1
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ klist
Ticket cache: KCM:1366201107
Default principal: Amy-posix.QE

Valid starting       Expires              Service principal
01/08/2021 09:12:49  01/08/2021 19:12:49  krbtgt/AD.BASEOS.QE.QE
	renew until 01/15/2021 09:12:45
01/08/2021 09:12:54  01/08/2021 19:12:49  host/ci-vm-10-0-139-42.hosted.upshift.rdu2.redhat.com@
	renew until 01/15/2021 09:12:45
	Ticket server: host/ci-vm-10-0-139-42.hosted.upshift.rdu2.redhat.com.QE

---------------------

[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam

[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = CI-VM-10-0-139-$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
pam_gssapi_services = sudo, sudo-i

[pam]
pam_gssapi_check_upn = False


[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -k
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kdestroy -A
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ kinit Amy-posix.QE
Password for Amy-posix.QE: 

[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd
[root@ci-vm-10-0-139-42 tmp.TExXQvrjcr]# ssh -l amy-admin.qe localhost
amy-admin.qe@localhost's password: 
*** 1minutetip system created by sgadekar - Fri Jan  8 08:56:21 EST 2021 ***
Last login: Fri Jan  8 09:15:02 2021 from ::1
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ klist
Ticket cache: KCM:1366201107
Default principal: Amy-posix.QE

Valid starting       Expires              Service principal
01/08/2021 09:15:31  01/08/2021 19:15:31  krbtgt/AD.BASEOS.QE.QE
	renew until 01/15/2021 09:15:27
01/08/2021 09:15:38  01/08/2021 19:15:31  host/ci-vm-10-0-139-42.hosted.upshift.rdu2.redhat.com@
	renew until 01/15/2021 09:15:27
	Ticket server: host/ci-vm-10-0-139-42.hosted.upshift.rdu2.redhat.com.QE

[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo -l
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: Amy-admin.qe
pam_sss_gss: User domain: ad.baseos.qe
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1366201107 to 0
pam_sss_gss: Authentication successful
Matching Defaults entries for amy-admin.qe on ci-vm-10-0-139-42:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY KRB5CCNAME", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User amy-admin.qe may run the following commands on ci-vm-10-0-139-42:
    (ALL) ALL
[amy-admin.qe@ci-vm-10-0-139-42 ~]$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023



Marking verified-> tested

Comment 13 Alexey Tikhonov 2021-01-09 22:52:27 UTC

This patchset introduces a number of warnings:


1. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:556: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
2. Defect type: RESOURCE_LEAK
3. sssd-2.4.0/src/sss_client/pam_sss_gss.c:321: leaked_storage: Variable "reply" going out of scope leaks the storage it points to.
Expand
3. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "username" going out of scope leaks the storage it points to.
Expand
4. Defect type: RESOURCE_LEAK
6. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "upn" going out of scope leaks the storage it points to.
Expand
5. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "target" going out of scope leaks the storage it points to.
Expand
6. Defect type: RESOURCE_LEAK
7. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260: leaked_storage: Variable "domain" going out of scope leaks the storage it points to. 


1. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'username'
Expand
2. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'upn'
Expand
3. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'target'
Expand
4. Defect type: CLANG_WARNING
1. sssd-2.4.0/src/sss_client/pam_sss_gss.c:260:16: warning[unix.Malloc]: Potential leak of memory pointed to by 'domain'

Comment 15 Alexey Tikhonov 2021-01-11 10:26:27 UTC

Moving back to assigned to address covscan warnings.

Comment 17 Alexey Tikhonov 2021-01-11 17:01:06 UTC

Relevant commit: https://github.com/SSSD/sssd/commit/c0ae6d34ff7c170ca0e6d0faa8a2daf9a77becb7

Comment 19 Pavel Březina 2021-01-15 13:36:11 UTC

Additional patches.

Pushed PR: https://github.com/SSSD/sssd/pull/5453

* `master`
    * 111b8b4d62a4fe192c075e6f6bfacb408e6074b3 - pam_sss_gssapi: fix coverity issues
    * cc173629f30fbc885ee90e52a205554b118e0ee6 - gssapi: default pam_gssapi_services to NULL in domain section

Comment 22 shridhar 2021-01-25 17:09:00 UTC

[root@vm-10-0-111-154 ~]# rpm -q sssd
sssd-2.4.0-6.el8.x86_64
 
[root@vm-10-0-111-154 ~]# cat /etc/pam.d/sudo* 
#%PAM-1.0
auth       sufficient   pam_sss_gss.so debug
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
#%PAM-1.0
auth       sufficient   pam_sss_gss.so debug
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo
[root@vm-10-0-111-154 ~]# cat /etc/sssd/sssd.conf 
[sssd]
domains = sgadekar2012r2.com
config_file_version = 2
services = nss, pam

[domain/sgadekar2012r2.com]
ad_domain = sgadekar2012r2.com
krb5_realm = SGADEKAR2012R2.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#sudo_provider = ad
debug_level = 9
pam_gssapi_services = sudo, sudo-i
[root@vm-10-0-111-154 ~]# 


[root@vm-10-0-111-154 ~]# systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; rm -rf /var/log/sssd/* ; systemctl start sssd
[root@vm-10-0-111-154 ~]# ssh -l sudo_user1 localhost
sudo_user1@localhost's password: 
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Mon Jan 25 11:04:32 2021 from ::1
Could not chdir to home directory /home/sudo_user1: No such file or directory
[sudo_user1@vm-10-0-111-154 /]$ sudo -l
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1677801126
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sudo_user1
pam_sss_gss: User domain: sgadekar2012r2.com
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1677801126 to 0
pam_sss_gss: Authentication successful
Matching Defaults entries for sudo_user1 on vm-10-0-111-154:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY KRB5CCNAME", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User sudo_user1 may run the following commands on vm-10-0-111-154:
    (ALL) ALL
[sudo_user1@vm-10-0-111-154 /]$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[sudo_user1@vm-10-0-111-154 /]$ sudo -k
[sudo_user1@vm-10-0-111-154 /]$ kdestroy -A
[sudo_user1@vm-10-0-111-154 /]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1677801126
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sudo_user1
pam_sss_gss: User domain: sgadekar2012r2.com
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Unable to read credentials from [KCM:] [maj:0xd0000, min:0x96c73ac3]
pam_sss_gss: GSSAPI: Unspecified GSS failure.  Minor code may provide more information
pam_sss_gss: GSSAPI: No credentials cache found
pam_sss_gss: Switching euid from 1677801126 to 0
pam_sss_gss: System error [5]: Input/output error
[sudo] password for sudo_user1: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[sudo_user1@vm-10-0-111-154 /]$ sudo -k
[sudo_user1@vm-10-0-111-154 /]$ kdestroy -A
[sudo_user1@vm-10-0-111-154 /]$ kinit 
Password for sudo_user1: 
[sudo_user1@vm-10-0-111-154 /]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1677801126
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sudo_user1
pam_sss_gss: User domain: sgadekar2012r2.com
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1677801126 to 0
pam_sss_gss: Authentication successful
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[sudo_user1@vm-10-0-111-154 /]$ 



===========================

[sudo_user1@vm-10-0-111-154 /]$ sudo -k
[sudo_user1@vm-10-0-111-154 /]$ kdestroy -A
[sudo_user1@vm-10-0-111-154 /]$ kinit Administrator
Password for Administrator: 
[sudo_user1@vm-10-0-111-154 /]$ klist
Ticket cache: KCM:1677801126
Default principal: Administrator

Valid starting       Expires              Service principal
01/25/2021 11:43:38  01/25/2021 21:43:38  krbtgt/SGADEKAR2012R2.COM
	renew until 01/26/2021 11:43:35
[sudo_user1@vm-10-0-111-154 /]$ sudo id
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1677801126
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sudo_user1
pam_sss_gss: User domain: sgadekar2012r2.com
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Communication error [3, 32]: Error in service module; Broken pipe
pam_sss_gss: Switching euid from 1677801126 to 0
pam_sss_gss: System error [32]: Broken pipe
[sudo] password for sudo_user1: 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[sudo_user1@vm-10-0-111-154 /]$ 


==============

kerberos ticket of different user

[sudo_user1@vm-10-0-111-154 /]$ logout
Connection to localhost closed.
[root@vm-10-0-111-154 ~]# cat /etc/sssd/sssd.conf 
[sssd]
domains = sgadekar2012r2.com
config_file_version = 2
services = nss, pam

[domain/sgadekar2012r2.com]
ad_domain = sgadekar2012r2.com
krb5_realm = SGADEKAR2012R2.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#sudo_provider = ad
debug_level = 9
pam_gssapi_services = sudo, sudo-i

[pam]
pam_gssapi_check_upn = False


marking verified
Could not chdir to home directory /home/sudo_user1: No such file or directory
[sudo_user1@vm-10-0-111-154 /]$ sudo -k
[sudo_user1@vm-10-0-111-154 /]$ kdestroy -A
[sudo_user1@vm-10-0-111-154 /]$ kinit testuser837641
Password for testuser837641: 
[sudo_user1@vm-10-0-111-154 /]$ klist
Ticket cache: KCM:1677801126
Default principal: testuser837641

Valid starting       Expires              Service principal
01/25/2021 12:03:43  01/25/2021 22:03:43  krbtgt/SGADEKAR2012R2.COM
	renew until 01/26/2021 12:03:41
[sudo_user1@vm-10-0-111-154 /]$ sudo -l
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1677801126
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: sudo_user1
pam_sss_gss: User domain: sgadekar2012r2.com
pam_sss_gss: User principal: 
pam_sss_gss: Target name: host.upshift.rdu2.redhat.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Switching euid from 1677801126 to 0
pam_sss_gss: Authentication successful
Matching Defaults entries for sudo_user1 on vm-10-0-111-154:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY KRB5CCNAME", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User sudo_user1 may run the following commands on vm-10-0-111-154:
    (ALL) ALL




marking verified.

Comment 31 errata-xmlrpc 2021-05-18 15:03:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666

Note You need to log in before you can comment on or make changes to this bug.