Bug 877972 - ldap_sasl_authid no longer accepts full principal
Summary: ldap_sasl_authid no longer accepts full principal
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 881827
TreeView+ depends on / blocked
 
Reported: 2012-11-19 10:57 UTC by Jakub Hrozek
Modified: 2013-06-06 18:29 UTC (History)
6 users (show)

Fixed In Version: sssd-1.9.2-51.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:40:33 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0508 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Jakub Hrozek 2012-11-19 10:57:37 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/1635

One of our users noted on the sssd-users list that the behaviour of ldap_sasl_authid has changed between 1.8 and 1.9:
https://lists.fedorahosted.org/pipermail/sssd-users/2012-November/000279.html

We should investigate if it's the case and either amend the code or the docs as appropriate.
Comment 1 Jakub Hrozek 2012-11-19 11:00:11 UTC 
To reproduce, simply configure AD or IPA provider and use a full principal in ldap_sasl_authid. The initialization of the provider will fail.
Comment 4 Kaushik Banerjee 2012-11-26 15:52:33 UTC 
Verified in version 1.9.2-24

Output of beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_010 Verify bz877972 Using full principal ldap_sasl_authid=host/adclient.addomain.com@SSSDAD.COM
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Starting sssd: [  OK  ]
[  OK  ]
:: [   PASS   ] :: Running 'service sssd start'
testuser01:*:770812699:770800513:testuser01:/:
:: [   PASS   ] :: Running 'getent passwd testuser01'
spawn ssh -q -l testuser01 localhost echo 'login successful'
testuser01@localhost's password: 
login successful
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success testuser01 Secret123'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Option ldap_sasl_authid has value host/adclient.addomain.com@SSSDAD.COM'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Principal matched to the sample'
adprovider-010-Verify-bz877972-Using-full-principal-ldap-sasl-authid-host-adclient-addomain-com-SSSDAD-COM result: PASS
Comment 5 Ondrej Valousek 2012-12-10 14:47:29 UTC 
Note that this still does not work as of:
sssd-1.9.2-4.upstream_1_9_3.el6_3.x86_64

Additionally, when this parameter is used, an end dollar letter '$' is automatically appended - i.e. if I use:

ldap_sasl_authid = logina$

principal 'logina$$@<REALM>' is used instead. I believe we should not even attempt to add dollar at the end automatically under no conditions as it is very confusing. We should only add the Kerberos realm *if it is missing* and nothing else.

Ondrej
Comment 6 Jakub Hrozek 2012-12-10 17:42:36 UTC 
Sorry Ondrej, sssd-1.9.2-4.upstream_1_9_3.el6_3.x86_64 was wrong, see the message on sssd-devel. I fixed the repo, can you try upgrading to -5 and retry?

Sorry for the inconvenience.
Comment 7 Jakub Hrozek 2012-12-13 10:33:25 UTC 
Ondrej confirmed that his case didn't work correctly even with the latest packages. Putting back to ASSIGNED as per comment #5.
Comment 9 Ondrej Valousek 2012-12-27 09:43:54 UTC 
I can confirm the issue above has been fixed in:
sssd-1.9.2-6.upstream_1_9_3.el6_3.x86_64
Thanks Jakub for the prompt fix.
Comment 10 Kaushik Banerjee 2013-01-08 07:29:17 UTC 
Verified in version 1.9.2-59

Output from beaker automation run:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: adprovider_010 Verify bz877972 Using full principal ldap_sasl_authid=host/adclient.addomain.com@SSSDAD.COM
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
[  OK  ]
:: [   PASS   ] :: Running 'service sssd start'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Option ldap_sasl_authid has value host/adclient.addomain.com@SSSDAD.COM'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'authid contains realm \[SSSDAD.COM\]'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Will look for host/adclient.addomain.com@SSSDAD.COM in'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Trying to find principal host/adclient.addomain.com@SSSDAD.COM in keytab'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Principal matched to the sample (host/adclient.addomain.com@SSSDAD.COM)'
testuser01:*:770815747:770800513:testuser01:/:
:: [   PASS   ] :: Running 'getent passwd testuser01'
spawn ssh -q -l testuser01 localhost echo 'login successful'
testuser01@localhost's password: 
login successful
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success testuser01 Secret123'
'2695502e-5034-4d82-a4aa-947ad3ea8924'
adprovider-010-Verify-bz877972-Using-full-principal-ldap-sasl-authid-host-adclient-addomain-com-SSSDAD-COM result: PASS
Comment 11 errata-xmlrpc 2013-02-21 09:40:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.