Bug 892197 - Incorrect principal searched for in keytab
Summary: Incorrect principal searched for in keytab
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
Depends On:
Blocks: 895654
TreeView+ depends on / blocked
Reported: 2013-01-05 20:13 UTC by Jakub Hrozek
Modified: 2020-05-02 17:12 UTC (History)
6 users (show)

Fixed In Version: sssd-1.9.2-65.el6
Doc Type: Bug Fix
Doc Text:
No documentation needed.
Clone Of:
Last Closed: 2013-02-21 09:43:07 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2782 0 None None None 2020-05-02 17:12:58 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Jakub Hrozek 2013-01-05 20:13:14 UTC
This bug is created as a clone of upstream ticket:

SSSD attempts to use fqdn$@DOMAIN rather than shorthostname$@DOMAIN.  This means it fails to find a usable credential on a machine joined to Active Directory, and is looking for a principal that's very unlikely to exist.

Since 4ee7f390af4193656c1e6ba45c9c3c14dd64a8a9, searching for *$ has been removed, so the short form is never found.  As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.

Comment 2 Jakub Hrozek 2013-01-07 14:51:59 UTC
To test, enroll a machine with AD.

Check the keytab with klist -k, usually the keytab will contain both host/hostname@REALM and SHORTNAME$@REALM. Without the patch, you'll have to specify ldap_sasl_authid manually, with the patch, the SSSD should select the correct principal on its own.

Comment 5 Kaushik Banerjee 2013-01-14 12:50:28 UTC
Verified in version 1.9.2-68

Report from beaker automation run:
:: [   LOG    ] :: adprovider_009 bz892197 ad_domain is valid and principal should default to SHORTHOST$

:: [   LOG    ] :: Sleeping for 5 seconds
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Trying to find principal DELL-T7400-01$@SSSDAD.COM'
:: [   PASS   ] :: File '/var/log/sssd/sssd_ADTEST.log' should contain 'Principal matched to the sample (DELL-T7400-01$@SSSDAD.COM)'
:: [   PASS   ] :: Running 'getent passwd testuser01'
:: [   PASS   ] :: Authentication successful, as expected
:: [   PASS   ] :: Running 'auth_success testuser01 Secret123'
:: [   LOG    ] :: Duration: 18s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: adprovider_009 bz892197 ad_domain is valid and principal should default to SHORTHOST$

Comment 6 errata-xmlrpc 2013-02-21 09:43:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.