2223442 – SSSD should handle AD's behavior of handling Kerberos realms case-insensitive better. sssd was using stale entries from /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM

Bug 2223442 - SSSD should handle AD's behavior of handling Kerberos realms case-insensitive better. sssd was using stale entries from /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM

Summary: SSSD should handle AD's behavior of handling Kerberos realms case-insensitive...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	jstephen
QA Contact:	Dan Lavu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-17 21:45 UTC by Abhijit Roy
Modified:	2023-08-10 13:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-162505	0	None	None	None	2023-07-17 21:48:54 UTC
Red Hat Issue Tracker	SSSD-6585	0	None	None	None	2023-08-10 13:30:01 UTC

Description Abhijit Roy 2023-07-17 21:45:46 UTC

Description of problem:

Failed to lookup user since /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM has stale entries or decommissioned server.

Clearing the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM file resolves the issue.

SSSD should handle AD's behavior of handling Kerberos realms case-insensitive better. One possible fix might be to always create the realm part of the name of the kdcinfo file in upper-case letters (since there is a convention to use upper-case for realm names). Before that the directory should be checked for kdcinfo files for the same realm but different cases. The locator plugin itself should then use the upper-case name as a fallback in case a kdcinfo file with the realm received was not found. This is needed because the locator plugin is not aware of the type the KDC for different realms and in general Kerberos realms are case-sensitive.

Version-Release number of selected component (if applicable):

sssd-2.7.3-4.el8_7.3.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

sssd should clean up the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM periodically 

Additional info:

WORKAROUND: Clearing the content of /var/lib/sss/pubconf/kdcinfo.EXAMPLE.COM file resolves the issue.

Note You need to log in before you can comment on or make changes to this bug.