[Sssd-maintainers] [Bug 1849109] New: 'System error' on login with domain account after system update (online login only)

https://bugzilla.redhat.com/show_bug.cgi?id=1849109 Bug ID: 1849109 Summary: 'System error' on login with domain account after system update (online login only) Product: Fedora Version: 32 Hardware: x86_64 OS: Linux Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: vargax(a)gmail.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, rharwood(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com Target Milestone: --- Group: private Classification: Fedora Created attachment 1698118 --> https://bugzilla.redhat.com/attachment.cgi?id=1698118&action=edit update logs and journalctl output Description of problem: Online login with a domain account is broken after a full update on a Fedora 32 system joined to an Active Directory domain using realm. Offline login (using cached credentials) works. kinit also works. Version-Release number of selected component (if applicable): How reproducible: Allways Steps to Reproduce: 1. Install Fedora 32 2. Join system to AD domain using realm 3. Login with a domain account > Login works 4. Full update the system 5. Try to login with a domain account > Login Fails > System Error 6. Disconnect network 7. Try to login with domain account > Login works Actual results: Online login with domain account fails Expected results: Online login with domain account should works Additional info: Full update log and journalctl logs attached Steps ran on a vanilla Fedora 32 Workstation VM: [ws@localhost-live ~]$ sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for ws: [root@localhost-live ws]# cd [root@localhost-live ~]# hostnamectl set-hostname --static test-f32-wrks [root@localhost-live ~]# realm join -v --user=cvargasc ad.activarsas.co * Resolving: _ldap._tcp.ad.activarsas.co * Performing LDAP DSE lookup on: 10.11.11.98 * Successfully discovered: ad.activarsas.co Password for cvargasc: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain ad.activarsas.co --domain-realm AD.ACTIVARSAS.CO --domain-controller 10.11.11.98 --login-type user --login-user cvargasc --stdin-password * Using domain name: ad.activarsas.co * Calculated computer account name from fqdn: TEST-F32-WRKS * Using domain realm: ad.activarsas.co * Sending NetLogon ping to domain controller: 10.11.11.98 * Received NetLogon info from: scandelaria.ad.activarsas.co * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-MkTsc9/krb5.d/adcli-krb5-conf-IqiLw8 * Authenticated as user: cvargasc(a)AD.ACTIVARSAS.CO * Using GSS-SPNEGO for SASL bind * Looked up short domain name: AD * Looked up domain SID: S-1-5-21-490755958-958459292-2945111038 * Using fully qualified name: test-f32-wrks * Using domain name: ad.activarsas.co * Using computer account name: TEST-F32-WRKS * Using domain realm: ad.activarsas.co * Calculated computer account name from fqdn: TEST-F32-WRKS * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for TEST-F32-WRKS$ at: CN=TEST-F32-WRKS,CN=Computers,DC=ad,DC=activarsas,DC=co * Sending NetLogon ping to domain controller: 10.11.11.98 * Received NetLogon info from: scandelaria.ad.activarsas.co * Set computer password * Retrieved kvno '3' for computer account in directory: CN=TEST-F32-WRKS,CN=Computers,DC=ad,DC=activarsas,DC=co * Checking host/TEST-F32-WRKS * Added host/TEST-F32-WRKS * Checking RestrictedKrbHost/TEST-F32-WRKS * Added RestrictedKrbHost/TEST-F32-WRKS * Discovered which keytab salt to use * Added the entries to the keytab: TEST-F32-WRKS$(a)AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-F32-WRKS(a)AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-F32-WRKS(a)AD.ACTIVARSAS.CO: FILE:/etc/krb5.keytab * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2020-06-19-15-17-49.nmhfmX Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled and active - systemctl enable --now oddjobd.service Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm [root@localhost-live ~]# sed -i 's&%u@%d&%u&g' /etc/sssd/sssd.conf [root@localhost-live ~]# sed -i 's&use_fully_qualified_names = True&use_fully_qualified_names = False&g' /etc/sssd/sssd.conf [root@localhost-live ~]# cat >> /etc/sssd/sssd.conf <<EOF [root@localhost-live ~]# systemctl restart sssd.service [root@localhost-live ~]# echo "%domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/domain-admins [root@localhost-live ~]# exit exit [ws@localhost-live ~]$ su cvargasc Password: [cvargasc@test-f32-wrks ws]$ cd [cvargasc@test-f32-wrks ~]$ sudo dnf update We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for cvargasc: (...full update log attached...) Complete! [cvargasc@test-f32-wrks ~]$ exit exit [ws@localhost-live ~]$ su cvargasc Password: su: System error [ws@localhost-live ~]$ nmcli connection down Wired\ connection\ 1 Connection 'Wired connection 1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [ws@localhost-live ~]$ su cvargasc Password: [cvargasc@test-f32-wrks ws]$ exit [ws@localhost-live ~]$ nmcli connection up Wired\ connection\ 1 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2) [ws@localhost-live ~]$ su lpguerreroj Password: su: System error [ws@localhost-live ~]$ nmcli connection down Wired\ connection\ 1 Connection 'Wired connection 1' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1) [ws@localhost-live ~]$ su lpguerreroj Password: [lpguerreroj@test-f32-wrks ws]$ -- You are receiving this mail because: You are the assignee for the bug.