Description of problem: When there are multiple realms in a keytab, sssd uses the first key available to authenticate not looking at the key's realm. What sssd should do is look for the first available key that has a valid realm to do the authentication. Version-Release number of selected component (if applicable): sssd-1.8.0-11.el6 How reproducible: On the client generate a keytab will multiple realms with the valid realm defined last: klist -k Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 nfs/rhel6.boston.devel.redhat.com.COM 1 host/rhel6.boston.devel.redhat.com.REDHAT.COM Steps to Reproduce: 1. Log into the client 2. 3. Actual results: Fails Expected results: works. Additional info:
Upstream ticket: https://fedorahosted.org/sssd/ticket/1269
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: No documentation needed
Verified in version: # rpm -qi sssd | head Name : sssd Relocations: (not relocatable) Version : 1.8.0 Vendor: Red Hat, Inc. Release : 22.el6 Build Date: Mon 09 Apr 2012 07:40:33 PM IST Install Date: Fri 13 Apr 2012 09:34:35 PM IST Build Host: x86-003.build.bos.redhat.com Group : Applications/System Source RPM: sssd-1.8.0-22.el6.src.rpm Size : 7870660 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0747.html