Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-32530

AD and IDM must have 'lookup_family_order = ipv6_only' for IPv6 only machines

XMLWordPrintable

    • Endeavour
    • 2
    • False
    • Sat_docs_5_2025, Sat_docs_6_2025, Sat_docs_7_2025
    • Known Issue
    • Hide
      .Additional configuration is required in IPv6-only networks when using `kinit` for IdM and AD users

      When Identity Management (IdM) or Active Directory (AD) are configured as external authentication sources for a Satellite Server that has only IPv6 connectivity, Kerberos authentication for external users fails. This known issue is caused by a bug in the System Security Services Daemon (SSSD) and occurs when the DNS name of the IdM or AD server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, for example because it is blocked by a firewall.

      To work around this problem, configure the `lookup_family_order` option in the `[domain/_<domain_name>_]` in the `/etc/sssd/sssd.conf` file:

          [domain/_<example.com>_]
          lookup_family_order = ipv6_only
      Show
      .Additional configuration is required in IPv6-only networks when using `kinit` for IdM and AD users When Identity Management (IdM) or Active Directory (AD) are configured as external authentication sources for a Satellite Server that has only IPv6 connectivity, Kerberos authentication for external users fails. This known issue is caused by a bug in the System Security Services Daemon (SSSD) and occurs when the DNS name of the IdM or AD server can be translated to both an IPv4 and IPv6 address but the IPv4 address is not accessible, for example because it is blocked by a firewall. To work around this problem, configure the `lookup_family_order` option in the `[domain/_<domain_name>_]` in the `/etc/sssd/sssd.conf` file:     [domain/_<example.com>_]     lookup_family_order = ipv6_only
    • Done
    • None

      Description of problem:

      IDM and AD kinit auth don't work on IPv6 unless lookup_family_order = ipv6_only specified in [domain/...] part of sssd.conf  which is not documented.
      I think it's caused by https://github.com/SSSD/sssd/issues/3057 which is fixed by https://github.com/SSSD/sssd/commit/537e586ba71672ec5e8167283230bc5783d81770 which is in sssd... upstream.
      This has been found by tests/foreman/destructive/test_ldap_authentication.py::test_positive_autonegotiate  and manifested in net ads keytab add step in setup for AD and HammerCLIForeman::Api::UnauthorizedError after hammer invocation in IDM.

      How reproducible:

      Attempt to setup AD or IDM auth source for a Satellite that only has IPv6 connectivity

      Is this issue a regression from an earlier version:

      No

              apetrova@redhat.com Aneta Šteflová Petrová
              lhellebr@redhat.com Lukas Hellebrandt
              Aneta Šteflová Petrová, Ewoud Kohl van Wijngaarden, Lucie Vrtelova
              Aneta Šteflová Petrová Aneta Šteflová Petrová
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: