2214563 – Passwordless (GSSAPI) SSH login failing with AD user

Bug 2214563 - Passwordless (GSSAPI) SSH login failing with AD user

Summary: Passwordless (GSSAPI) SSH login failing with AD user

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Julien Rische
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-06-13 12:04 UTC by anuja
Modified:	2023-07-21 06:49 UTC (History)
CC List:	7 users (show)
Fixed In Version:	ipa-4.9.12-4.module+el8.9.0+19227+ff8f095d
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10011	0	None	None	None	2023-06-13 12:19:13 UTC
Red Hat Issue Tracker	RHELPLAN-159706	0	None	None	None	2023-06-13 12:19:18 UTC

Description anuja 2023-06-13 12:04:44 UTC

Description of problem:
Passwordless (GSSAPI) SSH login not working with AD user

Version-Release number of selected component (if applicable):
ipa-server-4.9.12-2.module+el8.9.0+18921+013c0de2.x86_64

How reproducible:
Always

Steps to Reproduce:

Configure ipa-server with AD trust established.
AD domain is windows.test and a child domain sub1.windows.test contains the user aduser1
Obtain a kerberos ticket for aduser1 and use this ticket for ssh

Expected behavior

echo Secret123|kinit aduser1
Password for aduser1.TEST:
ssh -K -l aduser1 hostname 'echo Success'
Success

Actual results:
[root@client ~]# ssh -K -l nonposixuser `hostname` 'echo Success'
Password: 
Success
Could not chdir to home directory /home/win2019-4xwn.test/nonposixuser: No such file or directory

Expected results:
It should not prompt for password.

Comment 13 anuja 2023-07-17 15:04:17 UTC

Verified using test compose:
ipa-server-4.9.12-4.module+el8.9.0+19311+cb2600ad.x86_64                      

2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [  BEGIN   ] :: Running 'echo Secret123|kinit aduser1'
2023-07-17T13:11:30+0000 [] Password for aduser1: 
2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [   PASS   ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0)
2023-07-17T13:11:30+0000 [] :: [ 09:11:30 ] :: [  BEGIN   ] :: Running 'timeout 60s             ssh -K -l aduser1 ip-234.ssh2k16.test 'echo login successful''
2023-07-17T13:11:33+0000 [] login successful
2023-07-17T13:11:33+0000 [] :: [ 09:11:32 ] :: [   PASS   ] :: Command 'timeout 60s             ssh -K -l aduser1 ip-234.ssh2k16.test 'echo login successful'' (Expected 0, got 0)

Working as expected thus marking bug as verified tested.

Comment 17 anuja 2023-07-21 06:47:42 UTC

Verified Using nightly build:
ipa-server-4.9.12-5.module+el8.9.0+19430+5c00c3bc.x86_64

2023-07-20T17:25:54+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:54 ] :: [   PASS   ] :: Command 'echo Secret123|kinit aduser1' (Expected 0, got 0)
2023-07-20T17:25:54+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:54 ] :: [  BEGIN   ] :: Running 'timeout 60s             ssh -K -l aduser1 ip-0-0-9-2.ssh2k16.test 'echo login successful''
2023-07-20T17:25:56+0000 [ip-0-0-9-2.rhos-] login successful
2023-07-20T17:25:56+0000 [ip-0-0-9-2.rhos-] :: [ 13:25:55 ] :: [   PASS   ] :: Command 'timeout 60s             ssh -K -l aduser1 ip-0-0-9-2.ssh2k16.test 'echo login successful'' (Expected 0, got 0)

Note You need to log in before you can comment on or make changes to this bug.