Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65848

sssd password authentication broken in sssd-2.10.0~beta2-2 and later

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-10.0
    • CentOS Stream 10
    • sssd
    • sssd-2.10.1-1.el10
    • Yes
    • Important
    • rhel-sst-idm-sssd
    • ssg_idm
    • 17
    • 18
    • 2
    • None
    • CentOS Stream
    • None
    • x86_64
    • None

      I am having password authentication problems with sssd. This is fine for sssd-2.10.0~beta2-1.el10.x86_64 but not sssd-2.10.0~beta2-2.el10.x86_64 or later up to the current version (sssd-2.10.0~2.el10.x86_64). An example anonymized error from /var/log/sssd/krb5_child.log is

      (2024-11-05 15:21:19): [krb5_child[1622462]] [get_and_save_tgt] (0x0020): [RID#67] 2363: [-1765328378][Client 'username\@(null)@DOMAIN.NAME' not found in Kerberos database]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [main] (0x0100): [RID#67] Starting under uid=998 (euid=998) : gid=997 (egid=997)
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [main] (0x0100): [RID#67] With following capabilities:
                   CAP_CHOWN: effective = *1*, permitted = *1*, inheritable =  0 , bounding = *1*
            CAP_DAC_OVERRIDE: effective = *1*, permitted = *1*, inheritable =  0 , bounding = *1*
                  CAP_SETGID: effective = *1*, permitted = *1*, inheritable =  0 , bounding = *1*
                  CAP_SETUID: effective = *1*, permitted = *1*, inheritable =  0 , bounding = *1*
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [unpack_buffer] (0x1000): [RID#67] total buffer size: [95]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [unpack_buffer] (0x0100): [RID#67] cmd [241 (auth)] uid [2742] gid [2400] validate [false] enterprise principal [true] offline [false] UPN [username@(null)]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [unpack_buffer] (0x2000): [RID#67] No old ccache
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [unpack_buffer] (0x0100): [RID#67] ccname: [KCM:] old_ccname: [not set] keytab: [not set]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [check_keytab_name] (0x0400): [RID#67] Missing krb5_keytab option for domain, looking for default one
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [check_keytab_name] (0x0400): [RID#67] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [check_keytab_name] (0x0400): [RID#67] krb5_child will default to: /etc/krb5.keytab
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [check_use_fast] (0x0100): [RID#67] Not using FAST.
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [k5c_precreate_ccache] (0x4000): [RID#67] Recreating ccache
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [privileged_krb5_setup] (0x0080): [RID#67] Cannot open the PAC responder socket
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [become_user] (0x0200): [RID#67] Trying to become user [2742][2400].
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [main] (0x2000): [RID#67] Running as [2742][2400].
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [set_lifetime_options] (0x0100): [RID#67] Renewable lifetime is set to [7d]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [set_lifetime_options] (0x0100): [RID#67] Lifetime is set to [24h]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [set_canonicalize_option] (0x0100): [RID#67] Canonicalization is set to [true]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [main] (0x0400): [RID#67] Will perform auth
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [main] (0x0400): [RID#67] Will perform online auth
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [tgt_req_child] (0x1000): [RID#67] Attempting to get a TGT
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [get_and_save_tgt] (0x0400): [RID#67] Attempting kinit for realm [DOMAIN.NAME]
   *  (2024-11-05 15:21:19): [krb5_child[1622462]] [get_and_save_tgt] (0x0020): [RID#67] 2363: [-1765328378][Client 'username\@(null)@DOMAIN.NAME' not found in Kerberos database]
********************** BACKTRACE DUMP ENDS HERE *********************************

      The @(null) bit looks wrong to me.

        1. sssd_domain.txt
          43 kB

              sbose@redhat.com Sumit Bose
              m.a.young Michael Young (Inactive)
              Sumit Bose Sumit Bose
              Madhuri Upadhye Madhuri Upadhye
              Louise McGarry Louise McGarry
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: