2095102 – SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log

Bug 2095102 - SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log

Summary: SSSD 2.7.1 causes IPA/krb5 authentication to fail with messages such as the ...

Keywords:
Status:	CLOSED DUPLICATE of bug 2094685
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	sssd-maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-09 03:46 UTC by Peter Larsen
Modified:	2022-06-09 05:20 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-06-09 05:17:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Peter Larsen 2022-06-09 03:46:45 UTC

Description of problem:
This issue is replicated in this BZ: 
https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1857082.html

After updating to sssd to 2.7.1-1 logins using GDM to an IPA user fails. 

Error in krb5_child.log:
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_responder] (0x4000): [RID#22] Got question [password].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_krb5_expire_callback_func] (0x2000): [RID#22] exp_time: [10364636]
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x2000): [RID#22] Found keytab entry with the realm of the credential.
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0400): [RID#22] TGT verified using key for [host/boss.peterlarsen.org].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [sss_extract_pac] (0x0040): [RID#22] No PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE *********************************

(2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC check failed for principal [peter].
(2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22] 2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [validate_tgt] (0x0020): [RID#22] PAC check failed for principal [peter].
   *  (2022-06-08 23:28:04): [krb5_child[4535]] [get_and_save_tgt] (0x0020): [RID#22] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE *********************************

Version-Release number of selected component (if applicable):
2.7.1-1

How reproducible:
Constant

Steps to Reproduce:
1. Update from 2.7.0-1 to 2.7.1-1
2.
3.

Actual results:
Login via GDM not possible

Expected results:
Login working

Additional info:
Downgrading to 2.7.0-1 allowed GDM to work again. 
Note, applying https://access.redhat.com/solutions/2210951 did not resolve the issue.

Comment 1 Sumit Bose 2022-06-09 05:17:31 UTC


*** This bug has been marked as a duplicate of bug 2094685 ***

Comment 2 Sumit Bose 2022-06-09 05:20:10 UTC

As a work-around set

    pac_check = check_upn, check_upn_dns_info_ex

in the [pac] section of sssd.conf.

Note You need to log in before you can comment on or make changes to this bug.