Bug 2094685 - Default of 'pac_check' is too strict
Summary: Default of 'pac_check' is too strict
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: sssd-maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2094648 2094948 2095086 2095102 2095176 2095228 2095356 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-08 07:57 UTC by Sumit Bose
Modified: 2022-06-17 01:18 UTC (History)
19 users (show)

Fixed In Version: sssd-2.7.1-2.fc36 sssd-2.7.1-2.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-11 01:58:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Sumit Bose 2022-06-08 07:57:01 UTC 
Description of problem:
Default of 'pac_check' is too strict, it currently requires that a PAC is present when using ipa or ad provider. While it would work with the AD provider in most cases for ipa there is a fair chance that the PAC will not be available.

If authentication fails and there are messages like "[validate_tgt] ... PAC check failed for principal ..." you are most probably affected by this issue. As a work-around set

    pac_check = check_upn, check_upn_dns_info_ex

in the [pac] section of sssd.conf.
Comment 1 Sumit Bose 2022-06-08 08:00:11 UTC 
*** Bug 2094648 has been marked as a duplicate of this bug. ***
Comment 2 Sumit Bose 2022-06-08 08:14:05 UTC 
Upstream pull-request with a fix https://github.com/SSSD/sssd/pull/6204.
Comment 3 Sumit Bose 2022-06-09 05:16:26 UTC 
*** Bug 2095086 has been marked as a duplicate of this bug. ***
Comment 4 Sumit Bose 2022-06-09 05:17:31 UTC 
*** Bug 2095102 has been marked as a duplicate of this bug. ***
Comment 5 Sumit Bose 2022-06-09 05:18:42 UTC 
*** Bug 2094948 has been marked as a duplicate of this bug. ***
Comment 6 Sumit Bose 2022-06-09 08:28:50 UTC 
*** Bug 2095176 has been marked as a duplicate of this bug. ***
Comment 7 Alexey Tikhonov 2022-06-09 09:02:36 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6204

* `master`
    * 55e93cf1cf4d61c6de7975cbdc97a723545586c0 - pac: relax default for pac_check option
* `sssd-2-7`
    * 26d8601e9b4e35ff89ca9fa72b9db05199096b56 - pac: relax default for pac_check option
Comment 8 Fedora Update System 2022-06-09 09:21:24 UTC 
FEDORA-2022-1f115ce8d2 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f115ce8d2
Comment 9 Fedora Update System 2022-06-09 09:22:34 UTC 
FEDORA-2022-6d9be7e4c4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-6d9be7e4c4
Comment 10 James 2022-06-09 09:32:43 UTC 
I'd like to commend the rapid response here.

Has upstream added a regression test to ensure this doesn't happen again?
Comment 11 Iker Pedrosa 2022-06-09 10:54:24 UTC 
*** Bug 2095228 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2022-06-09 14:37:41 UTC 
FEDORA-2022-6d9be7e4c4 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-6d9be7e4c4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-6d9be7e4c4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Fedora Update System 2022-06-09 14:48:44 UTC 
FEDORA-2022-1f115ce8d2 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-1f115ce8d2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-1f115ce8d2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Sumit Bose 2022-06-09 16:21:28 UTC 
*** Bug 2095356 has been marked as a duplicate of this bug. ***
Comment 15 Fedora Update System 2022-06-11 01:58:03 UTC 
FEDORA-2022-6d9be7e4c4 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 16 Fedora Update System 2022-06-17 01:18:55 UTC 
FEDORA-2022-1f115ce8d2 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.