Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 894988

Summary: Authentication is done against krb5_kpasswd as well as krb5_server
Product: Red Hat Enterprise Linux 7 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED DEFERRED QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: grajaiya, jgalipea, jhrozek, mkosek, pbrezina, rmainz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-24 11:24:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
example.com.db
none
121.168.192.in-addr.arpa.db
none
base.ldif
none
sssd.conf none

Description Nikolai Kondrashov 2013-01-14 08:57:17 UTC 
Description of problem:
If sssd.conf contains "krb5_server = slave-kdc" and "krb5_kpasswd = master-kdc" and "slave-kdc" has a password for a user different from the one "master-kdc" has (e.g. propagation hasn't yet occurred), it is possible to authenticate as that user with both master-kdc's and slave-kdc's passwords.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-68.el6.x86_64
libsss_idmap-1.9.2-68.el6.x86_64
sssd-client-1.9.2-68.el6.x86_64
sssd-1.9.2-68.el6.x86_64
libsss_sudo-1.9.2-68.el6.x86_64

How reproducible:
always

Steps to Reproduce:

Setup:
1. Setup master/slave KDC pair.
2. Setup master->slave database propagation, but don't setup automatic propagation.
3. Setup DNS to describe the realm and KDCs, using the attached zone files as reference.
4. Setup LDAP directory, using the attached LDIF file as reference.
5. Add a user principal to master KDC database with password #1.
6. Propagate the database to slave KDC manually.
7. Change the user's password on master KDC to password #2, but don't propagate the database.
8. Setup SSSD client using the attached sssd.conf as reference. Set krb5_server to point to the slave KDC and krb5_kpasswd to point to the master KDC.

Tests:
1. On SSSD client, authenticate as the user, using password #1.
2. On SSSD client, authenticate as the user, using password #2.
  
Actual results:
1. Authentication successful.
2. Authentication successful.

Expected results:
1. Authentication successful.
2. Authentication fails.

Additional info:
The reference setup has master KDC on manual-srv1.example.com (192.168.121.10) and slave KDC on manual-srv2.example.com (192.168.121.11). The client is on manual-clnt.example.com (192.168.121.12).

This works as expected, if krb5_kpasswd is not set, or if both krb5_server and krb_kpasswd are set to the same KDC host, either master or slave.
Comment 1 Nikolai Kondrashov 2013-01-14 09:03:01 UTC 
Created attachment 678114 [details]
example.com.db
Comment 2 Nikolai Kondrashov 2013-01-14 09:03:22 UTC 
Created attachment 678115 [details]
121.168.192.in-addr.arpa.db
Comment 3 Nikolai Kondrashov 2013-01-14 09:05:17 UTC 
Created attachment 678119 [details]
base.ldif
Comment 4 Nikolai Kondrashov 2013-01-14 09:05:44 UTC 
Created attachment 678120 [details]
sssd.conf
Comment 7 Jakub Hrozek 2013-01-14 09:50:29 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1762
Comment 8 Nikolai Kondrashov 2013-01-14 10:39:18 UTC 
This also reproduced on RHEL6.3 with the following packages:

sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
Comment 11 Martin Kosek 2015-04-24 11:24:11 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as DEFERRED. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.