https://bugzilla.redhat.com/show_bug.cgi?id=2094948
Bug ID: 2094948 Summary: Unable to log in to accounts from CentOS 7 FreeIPA Server Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers@lists.fedoraproject.org Reporter: mheon@redhat.com QA Contact: extras-qa@fedoraproject.org CC: abokovoy@redhat.com, atikhono@redhat.com, jhrozek@redhat.com, lslebodn@redhat.com, luk.claes@gmail.com, mzidek@redhat.com, pbrezina@redhat.com, sbose@redhat.com, ssorce@redhat.com, sssd-maintainers@lists.fedoraproject.org Target Milestone: --- Classification: Fedora
Description of problem:
I have a CentOS 7 FreeIPA server (ipa-server-4.6.8-5.el7.centos.10.x86_64, other RPM versions available on request), with several systems joined to the domain (F35, F36, and CentOS 7). I recently performed a dnf upgrade on one of the F36 systems, which pulled in sssd 2.7.1 (was previously on 2.7.0). After the upgrade, I became unable to log into any IPA account. Relevant error messages below:
Jun 08 11:34:27 Bellerophon.int.lldp.net krb5_child[14823]: Unknown code UUz 100 Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=mheon Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: pam_sss(gdm-password:auth): received for user mheon: 4 (System error) Jun 08 11:34:27 Bellerophon.int.lldp.net gdm-password][14818]: gkr-pam: unlocked login keyring
All other systems on the domain remained able to log in. No error messages are visible in the IPA server's journal. Downgrading to sssd-2.7.0-1.fc36.x86_64 resolves the issue and restores the ability to log in. I do not have another IPA server to test with at the moment, but I did confirm that unenrolling and reenrolling the host in question (in hopes of replacing any faulty configuration files written) did not resolve the problem.
Notably, this occurs only for login attempts via password (from TTY or graphical session). Logging in using SSH with key authentication works. Once logged in via SSH, I am able to communicate with at least the IPA server's Kerberos server (e.g. `kinit mheon` works).
Version-Release number of selected component (if applicable):
sssd-2.7.1-1.fc36.x86_64
How reproducible: 100%
Steps to Reproduce: 1. Upgrade to sssd 2.7.1 2. Log out 3. Log into an IPA-managed account
Actual results:
Login fails
Expected results:
Login succeeds
Additional info:
I don't know if this is sssd itself or a subpackage (sssd-ipa seems likely?) - apologies if this should have been filed elsewhere.