Bug 616868 - ldap auth not working. ( extra krb5_realm = EXAMPLE.COM line added )
ldap auth not working. ( extra krb5_realm = EXAMPLE.COM line added )
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-21 11:23 EDT by Jóhann B. Guðmundsson
Modified: 2010-10-05 09:36 EDT (History)
4 users (show)

See Also:
Fixed In Version: sssd-1.2.2-18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-05 09:31:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sssd.conf that gets created (459 bytes, text/plain)
2010-08-03 07:51 EDT, Jóhann B. Guðmundsson
no flags Details

  None (edit)
Description Jóhann B. Guðmundsson 2010-07-21 11:23:56 EDT
Description of problem:

When setting up an ldap account an extra line "krb5_realm = EXAMPLE.COM and krb5_kdcip = kerberos.example.com" is added to sssd.conf which breaks it's functionality 

Version-Release number of selected component (if applicable):

setuptool-1.19.10-1.fc13.x86_64

How reproducible:

Always

Steps to Reproduce:
1.run setup
2.configure for ldap auth
3.try logging in for example via ssh
  
Actual results:

Ldap authentication fails 

Expected results:

Ldap auth working.

Additional info:

Removing those lines and restarting sssd fixes this problem.
Comment 1 Nalin Dahyabhai 2010-07-21 11:34:53 EDT
The 'setup' command is merely running authconfig-tui, so I'm reassigning this bug.  Can you indicate which version of the 'authconfig' package you have installed?
Comment 2 Jóhann B. Guðmundsson 2010-07-21 12:13:48 EDT
authconfig-6.1.4-2.fc13.x86_64
Comment 3 Tomas Mraz 2010-08-02 06:45:52 EDT
How exactly did you use the tool?

And can you please attach the broken sssd config file?
Comment 4 Jóhann B. Guðmundsson 2010-08-03 07:50:45 EDT
I ran setup

User Information 
hash Use LDAP

Authentication 

hash Use MD5 Passwords
hash Use Shadow Passwords
hash Use Ldap Authentication
hash Local authorization is sufficient

Select Next 

hash Use TLS
Server ldap://ldap1.example.com ldap://ldap2.example.com
Base DN dc=example,dc=com

I updated to sssd 1.2.2-18 in koji ran setup again and I now can log in all thou "krb5_realm = EXAMPLE.COM krb5" and_"kdcip = kerberos.example.com" lines get added to the sssd.conf"
Comment 5 Jóhann B. Guðmundsson 2010-08-03 07:51:30 EDT
Created attachment 436254 [details]
sssd.conf that gets created
Comment 6 Tomas Mraz 2010-08-03 08:49:19 EDT
Stephen, can authconfig depend on sssd tolerating options from different providers than configured?
Comment 7 Stephen Gallagher 2010-09-24 07:49:25 EDT
Sorry, this bug had fallen off my radar.

No, SSSD will not tolerate options from different providers than configured, however the krb5_kdcip and krb5_realm options are permissible for the LDAP provider, so they are coincidentally acceptable.

Specifically, it is possible to set up the LDAP provider to use GSSAPI-encrypted communications to the LDAP server in place of LDAPS or TLS (this is not a configuration currently supported in authconfig, as it requires additional manual steps of creating a keytab).

Authconfig should probably suppress this output from the sssd.conf file unless the option 'ldap_sasl_mech' is detected in the config file and is set to 'gssapi' (case-insensitive). This is the only case in which the krb5_kdcip and krb5_realm options are valid for the LDAP provider without the kerberos provider being active for authentication.
Comment 8 Tomas Mraz 2010-10-05 09:31:02 EDT
(In reply to comment #7)
> Sorry, this bug had fallen off my radar.
> 
> No, SSSD will not tolerate options from different providers than configured,
> however the krb5_kdcip and krb5_realm options are permissible for the LDAP
> provider, so they are coincidentally acceptable.
Actually authconfig will not add options that would not be allowed by SSSDConfig module so I think we are safe here.

> Specifically, it is possible to set up the LDAP provider to use
> GSSAPI-encrypted communications to the LDAP server in place of LDAPS or TLS
> (this is not a configuration currently supported in authconfig, as it requires
> additional manual steps of creating a keytab).
> 
> Authconfig should probably suppress this output from the sssd.conf file unless
> the option 'ldap_sasl_mech' is detected in the config file and is set to
> 'gssapi' (case-insensitive). This is the only case in which the krb5_kdcip and
> krb5_realm options are valid for the LDAP provider without the kerberos
> provider being active for authentication.
But I suppose these options are harmless and no-op if the ldap_sasl_mech is not set to gssapi. Please, correct me if they are not harmless in such case.

I'm closing the bug as the real problem of ldap auth not working is already fixed with the current sssd.
Comment 9 Stephen Gallagher 2010-10-05 09:36:57 EDT
(In reply to comment #8)
> But I suppose these options are harmless and no-op if the ldap_sasl_mech is not
> set to gssapi. Please, correct me if they are not harmless in such case.

Sure, they are harmless (just slightly confusing).

Note You need to log in before you can comment on or make changes to this bug.