# SSSD 2.7.1
The SSSD team is proud to announce the release of version 2.7.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.7.1
See the full release notes at: https://sssd.io/release-notes/sssd-2.7.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* SSSD can now handle multi-valued RDNs if a unique name must be determined with the help of the RDN.
### Important fixes
* A regression in `pam_sss_gss` module causing a failure if `KRB5CCNAME` environment variable was not set was fixed.
### Packaging changes
* `sssd-ipa` doesn't require `sssd-idp` anymore
### Configuration changes
* New option `implicit_pac_responder` to control if the PAC responder is started for the IPA and AD providers, default is `true`. * New option `krb5_check_pac` to control the PAC validation behavior. * multiple `crl_file` arguments can be used in the `certificate_verification` option.
On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users wrote:
# SSSD 2.7.1
### Configuration changes
- New option `implicit_pac_responder` to control if the PAC responder
is started for the IPA and AD providers, default is `true`.
- New option `krb5_check_pac` to control the PAC validation behavior.
- multiple `crl_file` arguments can be used in the
`certificate_verification` option.
I updated my Fedora 36 desktop a few minutes ago, which installed the new sssd and related packages. I rebooted since a new kernel was also installed. When I tried to login to GNOME, I got an error.
I used a local account to get in and to check my freeipa user account. The pwd worked fine on my other machines and on the web UI. I poked around somemore and found this in krb5_child.log:
(2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020): [RID#196] PAC check failed for principal [ranbir@DOMAIN.TLD]. (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020): [RID#196] PAC check failed for principal [ranbir@DOMAIN.TLD]. * (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** BACKTRACE DUMP ENDS HERE *********************************
There's more before that.
I also saw this in sssd's journal (it's in reverse):
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz 100 Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz 100 Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz 100 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1 Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service - System Security Services Daemon.
No amount of reboots or sssd restarts fixed the problem, so I downgraded all of the sssd related packages. After that was done, I was able to login again.
Do I have a misconfiguration or is it a bug?
Am Wed, Jun 08, 2022 at 01:40:22AM -0400 schrieb Ranbir via FreeIPA-users:
On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users wrote:
# SSSD 2.7.1
### Configuration changes
- New option `implicit_pac_responder` to control if the PAC responder
is started for the IPA and AD providers, default is `true`.
- New option `krb5_check_pac` to control the PAC validation behavior.
- multiple `crl_file` arguments can be used in the
`certificate_verification` option.
I updated my Fedora 36 desktop a few minutes ago, which installed the new sssd and related packages. I rebooted since a new kernel was also installed. When I tried to login to GNOME, I got an error.
I used a local account to get in and to check my freeipa user account. The pwd worked fine on my other machines and on the web UI. I poked around somemore and found this in krb5_child.log:
(2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020): [RID#196] PAC check failed for principal [ranbir@DOMAIN.TLD]. (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt]
(0x0020): [RID#196] PAC check failed for principal [ranbir@DOMAIN.TLD].
- (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt]
(0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** BACKTRACE DUMP ENDS HERE
Hi,
I'm sorry, it looks like the default for the new 'pac_check' option is too strict. Please try to set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf and then try to update again. I have opened https://bugzilla.redhat.com/show_bug.cgi?id=2094685 to fix this.
bye, Sumit
There's more before that.
I also saw this in sssd's journal (it's in reverse):
Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz 100 Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz 100 Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz 100 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1 Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service - System Security Services Daemon.
No amount of reboots or sssd restarts fixed the problem, so I downgraded all of the sssd related packages. After that was done, I was able to login again.
Do I have a misconfiguration or is it a bug?
-- Ranbir _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wed, 2022-06-08 at 09:57 +0200, Sumit Bose via FreeIPA-users wrote:
I'm sorry, it looks like the default for the new 'pac_check' option is too strict. Please try to set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf and then try to update again.
I added the workaround, upgraded the sssd packages again, restarted sssd, locked my screen and successfully logged in. Looks like the workaround is working.
Here's what got dumped into krb5_child.log:
(2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426] 1971: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] krb5_child started. * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x1000): [RID#426] total buffer size: [167] * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426] cmd [241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal [false] offline [false] UPN [ranbir@DOMAIN.TLD] * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426] ccname: [KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789] keytab: [/etc/krb5.keytab] * (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch user to [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch user to [0][0]. * (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_check_old_ccache] (0x4000): [RID#426] Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is valid. * (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_setup_fast] (0x0100): [RID#426] Fast principal is set to [host/domain.tld@DOMAIN.TLD] * (2022-06-08 14:29:22): [krb5_child[65262]] [find_principal_in_keytab] (0x4000): [RID#426] Trying to find principal host/domain.tld@DOMAIN.TLD in keytab. * (2022-06-08 14:29:22): [krb5_child[65262]] [match_principal] (0x1000): [RID#426] Principal matched to the sample (host/domain.tld@DOMAIN.TLD). * (2022-06-08 14:29:22): [krb5_child[65262]] [check_fast_ccache] (0x0200): [RID#426] FAST TGT is still valid. * (2022-06-08 14:29:22): [krb5_child[65262]] [become_user] (0x0200): [RID#426] Trying to become user [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x2000): [RID#426] Running as [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100): [RID#426] No specific renewable lifetime requested. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100): [RID#426] No specific lifetime requested. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_canonicalize_option] (0x0100): [RID#426] Canonicalization is set to [true] * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform auth * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform online auth * (2022-06-08 14:29:22): [krb5_child[65262]] [tgt_req_child] (0x1000): [RID#426] Attempting to get a TGT * (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0400): [RID#426] Attempting kinit for realm [DOMAIN.TLD] * (2022-06-08 14:29:22): [krb5_child[65262]] [sss_krb5_responder] (0x4000): [RID#426] Got question [password]. * (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426] 1971: [-1765328360][Preauthentication failed] ********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-08 14:29:22): [krb5_child[65262]] [map_krb5_error] (0x0020): [RID#426] 2100: [-1765328360][Preauthentication failed] (2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No PAC authdata available. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] krb5_child started. * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x1000): [RID#8] total buffer size: [167] * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] cmd [241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal [false] offline [false] UPN [ranbir@DOMAIN.TLD] * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] ccname: [KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789] keytab: [/etc/krb5.keytab] * (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch user to [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch user to [0][0]. * (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_check_old_ccache] (0x4000): [RID#8] Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is valid. * (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_setup_fast] (0x0100): [RID#8] Fast principal is set to [host/domain.tld@DOMAIN.TLD] * (2022-06-08 14:46:42): [krb5_child[70022]] [find_principal_in_keytab] (0x4000): [RID#8] Trying to find principal host/domain.tld@DOMAIN.TLD in keytab. * (2022-06-08 14:46:42): [krb5_child[70022]] [match_principal] (0x1000): [RID#8] Principal matched to the sample (host/domain.tld@DOMAIN.TLD). * (2022-06-08 14:46:42): [krb5_child[70022]] [check_fast_ccache] (0x0200): [RID#8] FAST TGT is still valid. * (2022-06-08 14:46:42): [krb5_child[70022]] [become_user] (0x0200): [RID#8] Trying to become user [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x2000): [RID#8] Running as [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8] No specific renewable lifetime requested. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8] No specific lifetime requested. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_canonicalize_option] (0x0100): [RID#8] Canonicalization is set to [true] * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform auth * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform online auth * (2022-06-08 14:46:42): [krb5_child[70022]] [tgt_req_child] (0x1000): [RID#8] Attempting to get a TGT * (2022-06-08 14:46:42): [krb5_child[70022]] [get_and_save_tgt] (0x0400): [RID#8] Attempting kinit for realm [DOMAIN.TLD] * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_responder] (0x4000): [RID#8] Got question [password]. * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_expire_callback_func] (0x2000): [RID#8] exp_time: [6983771] * (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x2000): [RID#8] Found keytab entry with the realm of the credential. * (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0400): [RID#8] TGT verified using key for [host/domain.tld@DOMAIN.TLD]. * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No PAC authdata available. ********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0040): [RID#8] sss_extract_and_send_pac failed, group membership for user with principal [ranbir@DOMAIN.TLD] might not be correct.
freeipa-users@lists.fedorahosted.org