RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2144491 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
Summary: UPN check cannot be disabled explicitly but requires krb5_validate = false' a...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.7
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Jakub Vavra
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks: 2148989
TreeView+ depends on / blocked
 
Reported: 2022-11-21 13:10 UTC by Abhijit Roy
Modified: 2023-05-16 11:12 UTC (History)
9 users (show)

Fixed In Version: sssd-2.8.2-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2148989 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:07:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 6451 0 None open UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around 2022-11-22 16:47:37 UTC
Github SSSD sssd pull 6452 0 None open PAC: allow to disable UPN check and relax default check 2022-11-23 20:14:13 UTC
Red Hat Issue Tracker RHELPLAN-140019 0 None None None 2022-11-21 13:21:47 UTC
Red Hat Issue Tracker SSSD-5198 0 None None None 2022-11-21 13:44:13 UTC
Red Hat Product Errata RHBA-2023:2986 0 None None None 2023-05-16 09:08:23 UTC

Description Abhijit Roy 2022-11-21 13:10:09 UTC 
Description of problem:

UPN check cannot be disabled explicitly but requires krb5_validate = false' as a workaround

The first is
that the UPN check cannot be disabled explicitly but requires
'krb5_validate = false' as a work-around, this is already fixed
by the test build provided by Sumit 

Version-Release number of selected component (if applicable):

RHEL 8.7

sssd-2.7.3-4.el8_7.1.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

Failed login with AD user on IPA client

From sssd_pac.log

-----
   *  (2022-11-16  6:54:57): [pac] [cache_req_done] (0x0400): [CID#2] CR #0: Finished: Success
   *  (2022-11-16  6:54:57): [pac] [check_upn_and_sid_from_user_and_pac] (0x0020): [CID#2] UPN of user entry and PAC do not match.
********************** BACKTRACE DUMP ENDS HERE *********************************

(2022-11-16  6:55:08): [pac] [check_upn_and_sid_from_user_and_pac] (0x0020): [CID#4] UPN of user entry and PAC do not match.
   *  ... skipping repetitive backtrace ...
(2022-11-16  6:55:21): [pac] [check_upn_and_sid_from_user_and_pac] (0x0020): [CID#6] UPN of user entry and PAC do not match.
   *  ... skipping repetitive backtrace ...
(2022-11-16  6:55:31): [pac] [check_upn_and_sid_from_user_and_pac] (0x0020): [CID#8] UPN of user entry and PAC do not match.
   *  ... skipping repetitive backtrace ...
(2022-11-16  6:55:43): [pac] [check_upn_and_sid_from_user_and_pac] (0x0020): [CID#10] UPN of user entry and PAC do not match.
-----

Expected results:

With the test build.

------
(2022-11-17  4:03:50): [pac] [check_upn_and_sid_from_user_and_pac] (0x4000): [CID#2] UPN of user entry [abroy.COM] and PAC [Abhijit.Roy.com] do not match, ignored. <---
(2022-11-17  4:03:50): [pac] [sysdb_ldb_msg_difference] (0x2000): [CID#2] Added attr [pacBlob] to entry [name=aduser1.COM,cn=users,cn=AD.EXAMPLE.COM,cn=sysdb]
(2022-11-17  4:03:50): [pac] [sysdb_set_entry_attr] (0x0200): [CID#2] Entry [name=aduser1.COM,cn=users,cn=AD.EXAMPLE.COM,cn=sysdb] has set [cache, ts_cache] attrs.
------

Now, sssd is able to ignore the `UPN of user entry [abroy.COM] and PAC [Abhijit.Roy] do not match, ignored`


Additional info:
Comment 1 Alexey Tikhonov 2022-11-21 13:24:08 UTC 
From Sumit:
```
the PAC is a part of the Kerberos ticket issued by the AD DC and it
contains data about the user which are important to the operation
system. As you might know Kerberos is independent of the operating
system and by default does not have any details about the user which
might be important for an operating system, like e.g. a UID for
Linux/UNIX systems or a SID for Windows systems. But Kerberos allows to
add buffers with additional information to the Kerberos ticket and AD is
using this to add informations which are needed by Windows clients about
the AD users and this buffer is called PAC (Privilege Attribute
Certificate) and you can find the full spec at
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962.

The UPN, this user principal name, is the name used for Kerberos, i.e
the Kerberos principal. By default in AD this and is build form the
'sAMAccountName' LDAP attribute (the short Windows user name), an '@'
character and the domain name of the AD domain, e.g.
user.location.company.name. As you can see, depending on the
domain structure, this name can become quite long and cumbersome so that
AD allows a short-cut. You can set a user principal name with a
different user name part and an alternative domain suffix, e.g.
first.last. In LDAP this name is stored, if set, in the
'userPrincipalName' attribute.

As said the PAC contains information important for Windows but there is
currently nothing similar for Linux/UNIX and it turned out that there
are some issue when allowing Windows user to access Linux systems which
might lead e.g. to unexpected root access. In order to prevent this some
additional checks are added to the latest version of SSSD and one of the
checks, which is enabled by default is to check if the user principal
name which is present in the PAC matches the one SSSD can read from
LDAP.

The failed logins are caused by this check and the fact that at least in
your case 03360545 and Abhijit's case as well on the IPA servers
'ldap_user_principal = nosuchattr' is set. This means the LDAP server
will not read the 'userPrincipalName' attribute from the AD DC and SSSD
has to generate the user principal from the 'sAMAccountName' and the
domain name. But the PAC, which is generated by the AD DC, will still
contain the name from the 'userPrincipalName' attribute and as a result
the comparison fails.
```
Comment 5 Alexey Tikhonov 2022-11-23 20:14:13 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6452
Comment 9 Alexey Tikhonov 2022-11-30 16:04:51 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6452

* `master`
    * 51b11db8b99a77ba5ccf6f850c2e81b5a6ee9f79 - pac: relax default check
    * b3d7a4f6d4e1d4fa1bd33b296cd4301973f1860c - ipa: do not add guessed principal to the cache
    * 91789449b7a8b20056e1edfedd8f8cf92f7a0a2a - PAC: allow to disable UPN check
* `sssd-2-8`
    * 35a28524e407bf4b05a17c7c7f0b48799a18e8bf - pac: relax default check
    * a3304cc6b27b2f0678d0dcb4130865aa09442f5d - ipa: do not add guessed principal to the cache
    * b00c72d29b172a91b3eac5bc7b8ed275b883ec61 - PAC: allow to disable UPN check
Comment 18 errata-xmlrpc 2023-05-16 09:07:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2986
Note You need to log in before you can comment on or make changes to this bug.