https://bugzilla.redhat.com/show_bug.cgi?id=2095356
Bug ID: 2095356
Summary: Password auth against FreeIPA server no longer works
after update to Fedora 36
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Severity: high
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: boroske(a)ida.ing.tu-bs.de
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Created attachment 1888388
-->
https://bugzilla.redhat.com/attachment.cgi?id=1888388&action=edit
krb5_child.log of attempt to login using password auth
I recently upgraded a fedora 35 system to fedora 36.
After the upgrade, using any type of password auth against the freeipa server
no longer works (ssh, su, sudo), only local user logins or ssh public key
login.
The problem seems to have to do with the new sssd package.
I can see an error message in dmesg:
[ 743.242553] sssd_be[848]: segfault at 18 ip 00007f9bd8b5559c sp
00007ffd21604bc0 error 4 in libc.so.6[7f9bd8aeb000+173000]
I also enabled debug logging in sssd.conf and got error messages in
/var/log/sssd/krb5_child.log
excerpt (see attachment for full log of login attempt):
[...]
(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0400): [RID#18] TGT
verified using key for [host/zeus.net.ida(a)NET.IDA].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000):
[RID#18] [1808] 1654779082.856019: Retrieving thomasb(a)NET.IDA ->
host/zeus.net.ida(a)NET.IDA from MEMORY:rd_req2 with result: 0/Success
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_extract_pac] (0x0040): [RID#18]
No PAC authdata available.
(2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0020): [RID#18] PAC
check failed for principal [thomasb(a)NET.IDA].
(2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000):
[RID#18] [1808] 1654779082.856020: Destroying ccache MEMORY:rd_req2
(2022-06-09 14:51:22): [krb5_child[1808]] [get_and_save_tgt] (0x0020): [RID#18]
2045: [1432158308][Unknown code UUz 100]
(2022-06-09 14:51:22): [krb5_child[1808]] [map_krb5_error] (0x0020): [RID#18]
[1432158308][PAC check failed].
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x0200): [RID#18]
Received error code 1432158308
(2022-06-09 14:51:22): [krb5_child[1808]] [pack_response_packet] (0x2000):
[RID#18] response packet size: [20]
(2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x4000): [RID#18]
Response sent.
(2022-06-09 14:51:22): [krb5_child[1808]] [main] (0x0400): [RID#18] krb5_child
completed successfully
I had to rollback the system to before the update for now but am willing to
attempt again if additional data is needed.
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2095356