Bug 2095356 - Password auth against FreeIPA server no longer works after update to Fedora 36
Summary: Password auth against FreeIPA server no longer works after update to Fedora 36
Keywords:
Status: CLOSED DUPLICATE of bug 2094685
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: sssd-maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-09 15:54 UTC by Thomas Boroske
Modified: 2022-06-09 16:21 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-06-09 16:21:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
krb5_child.log of attempt to login using password auth (19.80 KB, text/x-emacs-lisp)
2022-06-09 15:54 UTC, Thomas Boroske 		no flags Details
View All

Description Thomas Boroske 2022-06-09 15:54:22 UTC 
Created attachment 1888388 [details]
krb5_child.log of attempt to login using password auth

I recently upgraded a fedora 35 system to fedora 36. 

After the upgrade, using any type of password auth against the freeipa server no longer works (ssh, su, sudo), only local user logins or ssh public key login. 

The problem seems to have to do with the new sssd package. 

I can see an error message in dmesg:

[  743.242553] sssd_be[848]: segfault at 18 ip 00007f9bd8b5559c sp 00007ffd21604bc0 error 4 in libc.so.6[7f9bd8aeb000+173000]


I also enabled debug logging in sssd.conf and got error messages in 

/var/log/sssd/krb5_child.log

excerpt (see attachment for full log of login attempt): 
[...]

(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0400): [RID#18] TGT verified using key for [host/zeus.net.ida].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856019: Retrieving thomasb -> host/zeus.net.ida from MEMORY:rd_req2 with result: 0/Success

(2022-06-09 14:51:22): [krb5_child[1808]] [sss_extract_pac] (0x0040): [RID#18] No PAC authdata available.
(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0020): [RID#18] PAC check failed for principal [thomasb].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856020: Destroying ccache MEMORY:rd_req2

(2022-06-09 14:51:22): [krb5_child[1808]] [get_and_save_tgt] (0x0020): [RID#18] 2045: [1432158308][Unknown code UUz 100]
(2022-06-09 14:51:22): [krb5_child[1808]] [map_krb5_error] (0x0020): [RID#18] [1432158308][PAC check failed].
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x0200): [RID#18] Received error code 1432158308
(2022-06-09 14:51:22): [krb5_child[1808]] [pack_response_packet] (0x2000): [RID#18] response packet size: [20]
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x4000): [RID#18] Response sent.
(2022-06-09 14:51:22): [krb5_child[1808]] [main] (0x0400): [RID#18] krb5_child completed successfully



I had to rollback the system to before the update for now but am willing to attempt again if additional data is needed.
Comment 1 Sumit Bose 2022-06-09 16:21:28 UTC 
As a work-around set

    pac_check = check_upn, check_upn_dns_info_ex

in the [pac] section of sssd.conf.

*** This bug has been marked as a duplicate of bug 2094685 ***
Note You need to log in before you can comment on or make changes to this bug.