1762881 – sssd-kcm breaks Kerberos authentication with remote services

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1762881 - sssd-kcm breaks Kerberos authentication with remote services

Summary: sssd-kcm breaks Kerberos authentication with remote services

Keywords:
Status:	CLOSED DUPLICATE of bug 1757224
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michal Zidek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-17 18:02 UTC by James
Modified:	2019-10-17 20:17 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-10-17 20:17:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description James 2019-10-17 18:02:55 UTC

Description of problem:
With sssd-kcm installed, I can log in and according to klist the TGT is there. However I can't use it to connect to services including ssh on other machines and the FreeIPA web interface. These things work if I remove sssd-kcm and go back to the kernel keyring.

Version-Release number of selected component (if applicable):
sssd-2.2.2-1.fc31.x86_64
freeipa-client-4.8.1-3.fc31.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Configure F31 workstation using ipa-client-install (standard config, worked OK in Fedora 30).
2. Reboot, log in using realm credentials and get TGT.
3. Attempt to connect to Kerberised remote service.

Actual results:
Kerberos credentials not used. Password prompt appears.

Expected results:
Access granted through single sign-on.

Additional info:
Will provide logs upon request. Nothing incriminating seen in journalctl -u sssd-kcm.

Comment 1 Sumit Bose 2019-10-17 18:20:30 UTC

Hi,

this sounds a bit like https://bugzilla.redhat.com/show_bug.cgi?id=1757224. Can you give the test build from comment #55 at https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 a try? To download the packages in a single run you can use:

    curl https://koji.fedoraproject.org/koji/taskinfo?taskID=38214051 | grep -o '"https://.*\.rpm"' | xargs -n 1 curl -O

HTH

bye,
Sumit

Comment 2 Simo Sorce 2019-10-17 18:26:02 UTC

James,
what client are you using?

Also see Sumit's reply if you are using standard built Fedora clients like curl, or openssh.

Comment 3 James 2019-10-17 18:30:48 UTC

Using sssd-kcm from 38214051 broke Kerberos login altogether. Login functionality restored with that build by removing sssd-kcm and restarting sssd.

The clients concerned are

openssh-8.1p1-1.fc31.x86_64
firefox-69.0.3-1.fc31.x86_64

connecting to a FreeIPA service and sshds running on Fedora 30 boxes.

Comment 4 Lukas Slebodnik 2019-10-17 19:09:39 UTC

(In reply to James Ettle from comment #3)
> Using sssd-kcm from 38214051 broke Kerberos login altogether. Login
> functionality restored with that build by removing sssd-kcm and restarting
> sssd.
> 
> The clients concerned are
> 
> openssh-8.1p1-1.fc31.x86_64
> firefox-69.0.3-1.fc31.x86_64
> 
> connecting to a FreeIPA service and sshds running on Fedora 30 boxes.

It works for me with 
sh$ rpm -q openssh-clients sssd-kcm
openssh-clients-8.0p1-8.fc31.1.x86_64
sssd-kcm-2.2.2-1.fc32.x86_64

We need more information or detailed reproducer?
sh$ export KRB5_TRACE=/tmp/openssh_krb5_trace
sh$ ssh -vvv user

And manually run kinit to avoid issues with BZ1757224.
An please provide output of ssh and content of /tmp/openssh_krb5_trace

Comment 5 Lukas Slebodnik 2019-10-17 19:12:34 UTC

I upgraded into openssh-clients-8.1p1-1 and it still works for me.

Comment 6 James 2019-10-17 19:22:06 UTC

OK, apologies -- looks like I was too hasty. This time I reinstalled the packages from 38214051 and completely rebooted rather than just restarting sssd. This time login works, and now Kerberised services are working.

Thanks for the help -- I think this can probably be closed as a dup of 1757224

Comment 7 Simo Sorce 2019-10-17 20:17:22 UTC


*** This bug has been marked as a duplicate of bug 1757224 ***

Note You need to log in before you can comment on or make changes to this bug.