6:33 a.m.
# SSSD 2.7.1
The SSSD team is proud to announce the release of version 2.7.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.7.1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.7.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* SSSD can now handle multi-valued RDNs if a unique name must be
determined with the help of the RDN.
### Important fixes
* A regression in `pam_sss_gss` module causing a failure if `KRB5CCNAME`
environment variable was not set was fixed.
### Packaging changes
* `sssd-ipa` doesn't require `sssd-idp` anymore
### Configuration changes
* New option `implicit_pac_responder` to control if the PAC responder is
started for the IPA and AD providers, default is `true`.
* New option `krb5_check_pac` to control the PAC validation behavior.
* multiple `crl_file` arguments can be used in the
`certificate_verification` option.
12:40 a.m.
On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users
wrote:
# SSSD 2.7.1
### Configuration changes
* New option `implicit_pac_responder` to control if the PAC responder
is
started for the IPA and AD providers, default is `true`.
* New option `krb5_check_pac` to control the PAC validation behavior.
* multiple `crl_file` arguments can be used in the
`certificate_verification` option.
I updated my Fedora 36 desktop a few minutes ago, which installed the
new sssd and related packages. I rebooted since a new kernel was also
installed. When I tried to login to GNOME, I got an error.
I used a local account to get in and to check my freeipa user account.
The pwd worked fine on my other machines and on the web UI. I poked
around somemore and found this in krb5_child.log:
(2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020):
[RID#196] PAC check failed for principal [ranbir(a)DOMAIN.TLD].
(2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020):
[RID#196] 2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt]
(0x0020): [RID#196] PAC check failed for principal [ranbir(a)DOMAIN.TLD].
* (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt]
(0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE
*********************************
There's more before that.
I also saw this in sssd's journal (it's in reverse):
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
failed
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
failed
Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
failed
Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
failed
Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz
100
Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz
100
Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz
100
Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2
Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1
Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service -
System Security Services Daemon.
No amount of reboots or sssd restarts fixed the problem, so I
downgraded all of the sssd related packages. After that was done, I was
able to login again.
Do I have a misconfiguration or is it a bug?
--
Ranbir
2:57 a.m.
Am Wed, Jun 08, 2022 at 01:40:22AM -0400 schrieb Ranbir via FreeIPA-users:
On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users
wrote:
> # SSSD 2.7.1
>
>
> ### Configuration changes
>
> * New option `implicit_pac_responder` to control if the PAC responder
> is
> started for the IPA and AD providers, default is `true`.
> * New option `krb5_check_pac` to control the PAC validation behavior.
> * multiple `crl_file` arguments can be used in the
> `certificate_verification` option.
I updated my Fedora 36 desktop a few minutes ago, which installed the
new sssd and related packages. I rebooted since a new kernel was also
installed. When I tried to login to GNOME, I got an error.
I used a local account to get in and to check my freeipa user account.
The pwd worked fine on my other machines and on the web UI. I poked
around somemore and found this in krb5_child.log:
(2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020):
[RID#196] PAC check failed for principal [ranbir(a)DOMAIN.TLD].
(2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020):
[RID#196] 2045: [1432158308][Unknown code UUz 100]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt]
(0x0020): [RID#196] PAC check failed for principal [ranbir(a)DOMAIN.TLD].
* (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt]
(0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100]
********************** BACKTRACE DUMP ENDS HERE
*********************************
Hi,
I'm sorry, it looks like the default for the new 'pac_check' option is
too strict. Please try to set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf and then try to update again. I have
opened https://bugzilla.redhat.com/show_bug.cgi?id=2094685 to fix this.
bye,
Sumit
There's more before that.
I also saw this in sssd's journal (it's in reverse):
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
failed
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
failed
Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
failed
Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
failed
Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz
100
Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz
100
Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz
100
Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2
Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1
Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service -
System Security Services Daemon.
No amount of reboots or sssd restarts fixed the problem, so I
downgraded all of the sssd related packages. After that was done, I was
able to login again.
Do I have a misconfiguration or is it a bug?
--
Ranbir
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
1:52 p.m.
On Wed, 2022-06-08 at 09:57 +0200, Sumit Bose via FreeIPA-users wrote:
I'm sorry, it looks like the default for the new
'pac_check' option
is
too strict. Please try to set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf and then try to update again.
I added the workaround, upgraded the sssd packages again, restarted
sssd, locked my screen and successfully logged in. Looks like the
workaround is working.
Here's what got dumped into krb5_child.log:
(2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426] 1971:
[-1765328360][Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] krb5_child
started.
* (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x1000): [RID#426] total
buffer size: [167]
* (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426] cmd
[241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal
[false] offline [false] UPN [ranbir(a)DOMAIN.TLD]
* (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426]
ccname: [KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789]
keytab: [/etc/krb5.keytab]
* (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch
user to [0123456789][0123456789].
* (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch
user to [0][0].
* (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_check_old_ccache] (0x4000):
[RID#426] Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is
valid.
* (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_setup_fast] (0x0100): [RID#426] Fast
principal is set to [host/domain.tld(a)DOMAIN.TLD]
* (2022-06-08 14:29:22): [krb5_child[65262]] [find_principal_in_keytab] (0x4000):
[RID#426] Trying to find principal host/domain.tld(a)DOMAIN.TLD in keytab.
* (2022-06-08 14:29:22): [krb5_child[65262]] [match_principal] (0x1000): [RID#426]
Principal matched to the sample (host/domain.tld(a)DOMAIN.TLD).
* (2022-06-08 14:29:22): [krb5_child[65262]] [check_fast_ccache] (0x0200): [RID#426]
FAST TGT is still valid.
* (2022-06-08 14:29:22): [krb5_child[65262]] [become_user] (0x0200): [RID#426] Trying
to become user [0123456789][0123456789].
* (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x2000): [RID#426] Running as
[0123456789][0123456789].
* (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100):
[RID#426] No specific renewable lifetime requested.
* (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100):
[RID#426] No specific lifetime requested.
* (2022-06-08 14:29:22): [krb5_child[65262]] [set_canonicalize_option] (0x0100):
[RID#426] Canonicalization is set to [true]
* (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform
auth
* (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform
online auth
* (2022-06-08 14:29:22): [krb5_child[65262]] [tgt_req_child] (0x1000): [RID#426]
Attempting to get a TGT
* (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0400): [RID#426]
Attempting kinit for realm [DOMAIN.TLD]
* (2022-06-08 14:29:22): [krb5_child[65262]] [sss_krb5_responder] (0x4000): [RID#426]
Got question [password].
* (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426]
1971: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-08 14:29:22): [krb5_child[65262]] [map_krb5_error] (0x0020): [RID#426] 2100:
[-1765328360][Preauthentication failed]
(2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No PAC
authdata available.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] krb5_child
started.
* (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x1000): [RID#8] total
buffer size: [167]
* (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] cmd
[241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal
[false] offline [false] UPN [ranbir(a)DOMAIN.TLD]
* (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] ccname:
[KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789] keytab:
[/etc/krb5.keytab]
* (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch
user to [0123456789][0123456789].
* (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch
user to [0][0].
* (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_check_old_ccache] (0x4000): [RID#8]
Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is valid.
* (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_setup_fast] (0x0100): [RID#8] Fast
principal is set to [host/domain.tld(a)DOMAIN.TLD]
* (2022-06-08 14:46:42): [krb5_child[70022]] [find_principal_in_keytab] (0x4000):
[RID#8] Trying to find principal host/domain.tld(a)DOMAIN.TLD in keytab.
* (2022-06-08 14:46:42): [krb5_child[70022]] [match_principal] (0x1000): [RID#8]
Principal matched to the sample (host/domain.tld(a)DOMAIN.TLD).
* (2022-06-08 14:46:42): [krb5_child[70022]] [check_fast_ccache] (0x0200): [RID#8]
FAST TGT is still valid.
* (2022-06-08 14:46:42): [krb5_child[70022]] [become_user] (0x0200): [RID#8] Trying to
become user [0123456789][0123456789].
* (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x2000): [RID#8] Running as
[0123456789][0123456789].
* (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8]
No specific renewable lifetime requested.
* (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8]
No specific lifetime requested.
* (2022-06-08 14:46:42): [krb5_child[70022]] [set_canonicalize_option] (0x0100):
[RID#8] Canonicalization is set to [true]
* (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform
auth
* (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform
online auth
* (2022-06-08 14:46:42): [krb5_child[70022]] [tgt_req_child] (0x1000): [RID#8]
Attempting to get a TGT
* (2022-06-08 14:46:42): [krb5_child[70022]] [get_and_save_tgt] (0x0400): [RID#8]
Attempting kinit for realm [DOMAIN.TLD]
* (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_responder] (0x4000): [RID#8]
Got question [password].
* (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_expire_callback_func] (0x2000):
[RID#8] exp_time: [6983771]
* (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x2000): [RID#8] Found
keytab entry with the realm of the credential.
* (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0400): [RID#8] TGT
verified using key for [host/domain.tld(a)DOMAIN.TLD].
* (2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No
PAC authdata available.
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0040): [RID#8]
sss_extract_and_send_pac failed, group membership for user with principal
[ranbir(a)DOMAIN.TLD] might not be correct.
--
Ranbir
547
days inactive
553
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Pavel Březina -
Ranbir -
Sumit Bose