961278 – Login failure: Enterprise Principal enabled by default for AD Provider

Bug 961278 - Login failure: Enterprise Principal enabled by default for AD Provider

Summary: Login failure: Enterprise Principal enabled by default for AD Provider

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Hrozek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-09 10:37 UTC by Kaushik Banerjee
Modified:	2020-05-02 17:21 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.10.0-5.fc19.beta1
Clone Of:
Environment:
Last Closed:	2013-05-24 20:13:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/var/log/sssd/krb5_child.log (13.80 KB, text/plain) 2013-05-09 10:37 UTC, Kaushik Banerjee	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2963	0	None	closed	Login failure: Enterprise Principal enabled by default for AD Provider	2020-08-18 18:08:25 UTC

Description Kaushik Banerjee 2013-05-09 10:37:04 UTC

Created attachment 745610 [details]
/var/log/sssd/krb5_child.log

Description of problem:
Login failure: Enterprise Principal enabled by default for AD Provider

Version-Release number of selected component (if applicable):
1.10.0-5

How reproducible:
Always

Steps to Reproduce:
1. Using realmd, add the client to an AD Server.

2. Try to login.
$ ssh -l 'SSSDAD\tuser1' localhost
SSSDAD\tuser1@localhost's password: 
Permission denied, please try again.
SSSDAD\tuser1@localhost's password: 
Permission denied, please try again.
SSSDAD\tuser1@localhost's password:

  
Actual results:
Login fails.

krb5_child.log shows:
(Thu May  9 06:32:33 2013) [[sssd[krb5_child[6930]]]] [sss_child_krb5_trace_cb] (0x4000): [6930] 1368095553.283185: Initializing MEMORY:I4Prq7V with default princ tuser1\@SSSDAD.COM

(Thu May  9 06:32:33 2013) [[sssd[krb5_child[6930]]]] [sss_child_krb5_trace_cb] (0x4000): [6930] 1368095553.283363: Removing tuser1\@SSSDAD.COM -> krbtgt/SSSDAD.COM from MEMORY:I4Prq7V

(Thu May  9 06:32:33 2013) [[sssd[krb5_child[6930]]]] [sss_child_krb5_trace_cb] (0x4000): [6930] 1368095553.283525: Storing tuser1\@SSSDAD.COM -> krbtgt/SSSDAD.COM in MEMORY:I4Prq7V

(Thu May  9 06:32:33 2013) [[sssd[krb5_child[6930]]]] [sss_child_krb5_trace_cb] (0x4000): [6930] 1368095553.283722: Getting credentials tuser1\@SSSDAD.COM -> host/dhcp207-114.sssdad.com using ccache MEMORY:I4Prq7V

(Thu May  9 06:32:33 2013) [[sssd[krb5_child[6930]]]] [sss_child_krb5_trace_cb] (0x4000): [6930] 1368095553.283964: Retrieving tuser1\@SSSDAD.COM -> host/dhcp207-114.sssdad.com from MEMORY:I4Prq7V with result: -1765328243/Matching credential not found



Expected results:
Login should work.

Additional info:
Refer to the attached krb5_child.log

Comment 1 Kaushik Banerjee 2013-05-09 10:49:36 UTC

Workaround (Thanks to Jakub for pointing this out):
Adding krb5_use_enterprise_principal=False to the domain section of sssd.conf works.

Comment 2 Jakub Hrozek 2013-05-09 11:49:58 UTC

(In reply to comment #1)
> Workaround (Thanks to Jakub for pointing this out):
> Adding krb5_use_enterprise_principal=False to the domain section of
> sssd.conf works.

This is probably a regression caused by https://fedorahosted.org/sssd/ticket/1842

Comment 3 Sumit Bose 2013-05-09 12:10:07 UTC

Kaushik, can you check if it works if you keep krb5_use_enterprise_principal=True but set krb5_validate=False? Thank you.

Comment 4 Kaushik Banerjee 2013-05-09 12:20:03 UTC

(In reply to comment #3)
> Kaushik, can you check if it works if you keep
> krb5_use_enterprise_principal=True but set krb5_validate=False? Thank you.

Does't work :-(

Comment 5 Jakub Hrozek 2013-05-10 08:53:45 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1921

Comment 6 Patrik Kis 2013-05-14 14:12:08 UTC

Verified.
sssd-1.10.0-5.fc19.beta1

Comment 7 Fedora Update System 2013-05-14 15:08:48 UTC

sssd-1.10.0-5.fc19.beta1 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sssd-1.10.0-5.fc19.beta1

Comment 8 Fedora Update System 2013-05-14 17:48:37 UTC

Package sssd-1.10.0-5.fc19.beta1:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sssd-1.10.0-5.fc19.beta1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8176/sssd-1.10.0-5.fc19.beta1
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-05-24 20:13:32 UTC

sssd-1.10.0-5.fc19.beta1 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.